Researchers have found what they are calling the first crpytojacking worm to spread to and from compromised containers in the Docker Engine.
Named Graboid as an homage to the monster worm in the 1990 movie Tremors, the malware mines Monero cryptocurrency from infected machines and randomly spreads to other vulnerable hosts. Indeed, the malware contains a list of over 2,000 IPs belonging to hosts with unsecured Docker API endpoints that are openly exposed to the internet, and thus susceptible to infection. More than half of the IPs, 57.4 percent, are based in China; the U.S. has the next highest share, at 13 percent.
Graboid mines coins in 250-second spurts, and is active 63 percent of the time, according to Palo Alto Networks' Unit 42 threat intelligence team, which unearthed the malware and detailed it today in a blog post authored by Senior Cloud Vulnerability and Exploit Researcher Jay Chen.
According to Unit 42, the attackers behind the worm were able to establish an initial foothold into their hosts by installing malicious images on unsecured Docker daemons. "Because most traditional endpoint protection software does not inspect data and activities inside containers, this type of malicious activity can be difficult to detect," Chen wrote.
Unit 42 has identified two malicious images that collectively have been downloaded more than 16,500 times. The threat unit said it has collaborated with the Docker team to remove these images.
Upon starting or restarting its malicious activity after each 250-second active spurt, Graboid randomly selects three targets. "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior," Chen explained in the post. "If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts."
The purpose of this methodology is not readily apparent, Unit 42 acknowledged, suggesting this could be an example of a bad design, an evasion technique or a self-sustaining system.
A research simulation of a 30-day Graboid attack on 2,000 vulnerable hosts found that it takes roughly an hour for the worm to spread to 70 percent of all potential victims (that's assuming a 30 percent failure rate). In such a scenario, a Graboid botnet would have 900 miners active at any given time, the simulation determined.