Attackers Cryptojacking Docker Images to Mine for Monero

[btc_angela]

Docker Hub is a cloud-based repository in which Docker users and partners create, test, store and distribute container images. Through Docker Hub, a user can access public, open source image repositories, as well as use a space to create their own private repositories, automated build functions, webhooks and work groups.

So now, cyber actors has also targeted his services started late last year and take advantage of it to mine Monero,

Docker Hub community user account named:

Code:

azurenql

So this account hosted 6 images, which has an embedded malicious code once downloaded to mine Monero thru Phyton script to trigger cryptojacking without you not noticing it.



Here's how everything works:



So if by chance you have been using Docker Hub and downloaded this malicious image. Just double check your machine and keep on refraining from downloading base image from untrusted sites.

As of the latest the XMR wallet has already earned 525.38 XMR, which roughly translates to $36,000.

https://unit42.paloaltonetworks.com/cryptojacking-docker-images-for-mining-monero/
https://searchitoperations.techtarget.com/definition/Docker-Hub

[masulum]

so far I don't really understand why cryptojacking creators are more likely to target monero mining than other crypto. Is it because of anonymous or because of other factors that make this coin a cryptojacker favorite. also, it is potentially affected our home PC?
;

[NeuroticFish]

so far I don't really understand why cryptojacking creators are more likely to target monero mining than other crypto. Is it because of anonymous or because of other factors that make this coin a cryptojacker favorite. also, it is potentially affected our home PC?
;

That's simply because Monero is CPU minable and possibly also because some of the miner programs (possibly also XMRig) give good results without using 100% the CPU power of the machine.
If one doesn't pay attention his tasks will run, although slower, and only at heavy load he'll notice slowness.

Just double check your machine and keep on refraining from downloading base image from untrusted sites.

I am a Windoze guy and I still run and keep an eye onto a tray icon that shows the CPU usage. Afaik Linux has even better tools for that. I encourage everybody use such tools where possible.
I am not familiar with Docker, but I guess that the CPU usage (and processes) and can be easily monitored on the resulted machine.

[masulum]

thank you @NeuroticFish, I tried to find where this file is hidden for Windows user, but from the source the position is not mentioned. Indeed, I have never visited the file mentioned by @OP, but it seems that the information is only in cases, not mentioning where this file is hidden if there are users who download files from azurenql for Windows users. or is this case not / haven't happened to windows users? what steps should be taken if there are similar cases experienced by users? Because, I think it could be if the file was not detected by the antivirus before entering the database, this will be very detrimental to the user who are very new to this matter, also it will be difficult to detect it.

[yazher]

This is one of the annoying kinds of Cryptojacking techniques out there and if not detected, Our PC would slow its performance. some are having some issues with their components because of this. Since silent mining has been introduced in early 2015, there are many cases of undetected miners are installed in the people's computers most of them are in the internet cafes. That's why we need to be vigilant and look for a possible solution to not be fallen for their traps. I wish we have some kind of anti-virus to detect such Cryptojacking to prevent them on using our PC without our permission.

[ABCbits]

thank you @NeuroticFish, I tried to find where this file is hidden for Windows user, but from the source the position is not mentioned. Indeed, I have never visited the file mentioned by @OP, but it seems that the information is only in cases, not mentioning where this file is hidden if there are users who download files from azurenql for Windows users. or is this case not / haven't happened to windows users? what steps should be taken if there are similar cases experienced by users? Because, I think it could be if the file was not detected by the antivirus before entering the database, this will be very detrimental to the user who are very new to this matter, also it will be difficult to detect it.

If there's no article from trusted sources (such as popular tech news media or antivirus blog), the easiest way to format your storage and reinstall your OS.

Just double check your machine and keep on refraining from downloading base image from untrusted sites.

I am a Windoze guy and I still run and keep an eye onto a tray icon that shows the CPU usage. Afaik Linux has even better tools for that. I encourage everybody use such tools where possible.
I am not familiar with Docker, but I guess that the CPU usage (and processes) and can be easily monitored on the resulted machine.

I think windows task manager is good enough to see your CPU usage and which application uses your CPU. You don't need tools available for linux since it's overt (rather than covert) attack.

[NeuroticFish]

I think windows task manager is good enough to see your CPU usage and which application uses your CPU. You don't need tools available for linux since it's overt (rather than covert) attack.

I use "Process Explorer". I've found it over years better/more useful than the regular Windows Task Manager, for example showing at mouse over the tray icon directly the most CPU hungry app.
Also I was referring to general use too, not only for this specific attack. With such a habit it's easy to spot any unexpected miner.

About this specific attack, if it's so visible, indeed, a quick check in the running task for XMRig should do.

[TravelMug]

I think it is also imported to discussed what is the "normal" CPU usage that we need to see here before we can say that we are infected not just by this Docker images but other malicious crypto jacking.

What do you guys think? Is < 20% a safe boundary numbers to say that we are safe or there are no crypto miners running in the background on our machine?

[btc_angela]

I think it is also imported to discussed what is the "normal" CPU usage that we need to see here before we can say that we are infected not just by this Docker images but other malicious crypto jacking.

What do you guys think? Is < 20% a safe boundary numbers to say that we are safe or there are no crypto miners running in the background on our machine?

I think that's a safe upper bound numbers, if you just have a dedicated laptop or PC for your crypto activities like trading and using it for this forum activity, then it is a safe number, in my opinion. I have check my laptop and yes its around that ball park with no sudden spikes.

[Kakmakr]

This might be a stupid question, but does the hacker replace the current images with the "infected" image or does he simply inject the script into the images that are already stored there?

I presume people run the docker run --rm image/name ls -alR to see a detailed content of these images and they are supposed to spot differences between what was saved and what was added?

[khaled0111]

I think it is also imported to discussed what is the "normal" CPU usage that we need to see here before we can say that we are infected not just by this Docker images but other malicious crypto jacking.

the CPU usage depends on the programs you are running or being run on background, so I don't think we can't set or agree on a "normal CPU usage" as it varies from user to another and depends on what the computer is being used for at that moment.
However, you can monitor the CPU usage when your computer is idle, then, any an usual activity such as a high CPU usage should be considered as a suspect activity.

Am not familiar with Docker and how it works, so is this affecting linux users only?

[TravelMug]

I think it is also imported to discussed what is the "normal" CPU usage that we need to see here before we can say that we are infected not just by this Docker images but other malicious crypto jacking.

the CPU usage depends on the programs you are running or being run on background, so I don't think we can't set or agree on a "normal CPU usage" as it varies from user to another and depends on what the computer is being used for at that moment.
However, you can monitor the CPU usage when your computer is idle, then, any an usual activity such as a high CPU usage should be considered as a suspect activity.

Am not familiar with Docker and how it works, so is this affecting linux users only?

Yeah, I agree that it really depends on the program that you are running, but if you are just browsing and not doing heavy stuff specially if you have a dedicated machine setup just for your crypto, it shouldn't be as high as 50% perhaps.

I've almost monitor the health of my machine, specially when I log on here in bitcointalk and see if there are some "abnormal' CPU fluctuations. There are browser extensions that supposedly to block crypto jacking, but I haven't check them out though.