Misconfigured Docker API instances have become the target of a new malware campaign that transforms them into a cryptocurrency mining botnet. The attacks, designed to mine for Dero currency, is notable for its worm-like capabilities to propagate the malware to other exposed Docker instances and rope them into an ever-growing horde of mining bots. Kaspersky said it observed an unidentified threat actor gaining initial access to a running containerized infrastructure by exploiting an insecurely published Docker API, and then weaponizing that access to create the illicit cryptojacking network. "This led to the running containers being compromised and new ones being created not only to hijack the victim's resources for cryptocurrency mining but also to launch external attacks to propagate to other networks," security researcher Amged Wageh said. The attack chain is realized through two components: A propagation malware "nginx" that scans the internet for exposed Docker APIs and the "cloud" Dero cryptocurrency miner. Both the payloads are developed using Golang. The use of "nginx" is a deliberate attempt to masquerade as the legitimate nginx web server and fly under the radar. The propagation malware is designed to record the running activities of the malware, launch the miner, and enter into an infinite loop to generate random IPv4 network subnets for flagging more susceptible Docker instances that have the default API port 2375 open and compromising them. It then proceeds to…Read More