‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts
Threat actors are taking advantage of Internet-facing unsecured Docker engines in order to distribute a cryptojacking worm, researchers with Palo Alto Networks have discovered. The malware is called Graboid and is capable infecting Docker containers that lack authentication and subsequently use the local processing resources to mine for Monero cryptocurrency.
Interestingly, the capabilities of the malware are distributed over different targets. The malware spreads by installing the worm on one target and then installing the cryptojacking malware on a second target. Finally, a software component designed to start the mining process is installed on a third target. The worm periodically checks in with the command and control (C&C) servers in order to select new targets to infect, which it seems to do at random. A Docker image on Docker Hub that is infected with the worm has been downloaded over 10,000 times, while another image that contains the crypto-jacking malware has been downloaded over 6,500 times.