Threat Management, Threat Management, Malware

Graboid cryptomining worm leverages Docker Engine containers to spread

Researchers have found what they are calling the first crpytojacking worm to spread to and from compromised containers in the Docker Engine.

Named Graboid as an homage to the monster worm in the 1990 movie Tremors, the malware mines Monero cryptocurrency from infected machines and randomly spreads to other vulnerable hosts. Indeed, the malware contains a list of over 2,000 IPs belonging to hosts with unsecured Docker API endpoints that are openly exposed to the internet, and thus susceptible to infection. More than half of the IPs, 57.4 percent, are based in China; the U.S. has the next highest share, at 13 percent.

Graboid mines coins in 250-second spurts, and is active 63 percent of the time, according to Palo Alto Networks' Unit 42 threat intelligence team, which unearthed the malware and detailed it today in a blog post authored by Senior Cloud Vulnerability and Exploit Researcher Jay Chen.

According to Unit 42, the attackers behind the worm were able to establish an initial foothold into their hosts by installing malicious images on unsecured Docker daemons. "Because most traditional endpoint protection software does not inspect data and activities inside containers, this type of malicious activity can be difficult to detect," Chen wrote.

Unit 42 has identified two malicious images that collectively have been downloaded more than 16,500 times. The threat unit said it has collaborated with the Docker team to remove these images.

Upon starting or restarting its malicious activity after each 250-second active spurt, Graboid randomly selects three targets. "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior," Chen explained in the post. "If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts."

The purpose of this methodology is not readily apparent, Unit 42 acknowledged, suggesting this could be an example of a bad design, an evasion technique or a self-sustaining system.

A research simulation of a 30-day Graboid attack on 2,000 vulnerable hosts found that it takes roughly an hour for the worm to spread to 70 percent of all potential victims (that's assuming a 30 percent failure rate). In such a scenario, a Graboid botnet would have 900 miners active at any given time, the simulation determined.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.