Palo Alto Networks discovers new cryptojacking worm mining for Monero

This is the first time that a cryptojacking attack has been observed on Docker.

North Korea is likely underwriting cyber-attacks by mining Monero
AlienVault threat engineer Chris Doman explains a new report on malware that mines Monero coins, then sends them to a North Korean university in Pyongyang.

Researchers with Unit 42, a Palo Alto Networks threat intelligence team, discovered the first cryptojacking malware ever found on popular popular platform-as-a-service Docker.

In a blog post, Unit 42 member Jay Chen said his team referred to the cryptojacking malware as  a “worm” named “Graboid,” which is a homage to the 1990’s Kevin Bacon classic “Tremors.” The worm, which was mining for Monero (an open-source cryptocurrency), managed to spread to more than 2,000 unsecured Docker hosts, who use the site to test various applications within a controlled virtual environment. 

SEE: Cryptocurrency: An insider’s guide (free PDF) (TechRepublic Premium)

Docker is particularly popular platform for Linux and Windows developers, but this is the first time Unit 42 had ever seen a cyrptojacking worm spread using the containers found in the Docker Engine’s Community Edition.

Thankfully, Docker worked with Unit 42 to remove the worm as soon as they were notified.

“Because most traditional endpoint protection software does not inspect data and activities inside containers, this type of malicious activity can be difficult to detect. The malicious actor gained an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host,” Chen wrote. “The malware, which was downloaded from command and control servers, is deployed to mine for Monero, and periodically queries for new vulnerable hosts from the C2 and picks the next target at random to spread the worm. Our analysis shows that on average, each miner is active 63% of the time and each…