Security News > 2021 > March > Malicious Docker Cryptomining Images Rack Up 20M Downloads

At least 30 malicious images in Docker Hub, with a collective 20 million downloads, have been used to spread cryptomining malware, according to an analysis.

The malicious images have raked in around $200,000 from cryptomining, according to Aviv Sasson, researcher with Palo Alto Networks' Unit 42, who found and reported the malicious activity.

Just as is the case with public code repositories like npm or Ruby, anyone can upload images to a Docker Hub account.

"It is reasonable to assume that there are many other undiscovered malicious images on Docker Hub and other public registries," he said.

"In my research, I used a cryptomining scanner that only detects simple cryptomining payloads. I also made sure any identified image was malicious by correlating the wallet address to previous attacks. Even with these simple tools, I was able to discover tens of images with millions of pulls. I suspect that this phenomenon may be bigger than what I found, with many instances in which the payload is not easily detectable."

Past campaigns have included a cryptojacking worm that spread through misconfigured Docker ports; a brand-new Linux backdoor called Doki that infested Docker servers and used a blockchain wallet for generating command-and-control domain names; and in December, researchers discovered a Monero cryptomining botnet dubbed Xanthe, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems.

News URL

https://threatpost.com/malicious-docker-cryptomining-images/165120/