Full Report
Misconfigured Docker API instances have become the target of a new malware campaign that transforms them into a cryptocurrency mining botnet. The attacks, designed to mine for Dero currency, is notable for its worm-like capabilities to propagate the malware to other exposed Docker instances and rope them into an ever-growing horde of mining bots. Kaspersky said it observed an unidentified threat
Analysis Summary
# Tool/Technique: Dero Cryptojacking Botnet Malware
## Overview
A new malware campaign targeting misconfigured Docker API instances to turn compromised environments into a Dero cryptocurrency mining botnet. This malware exhibits worm-like characteristics, allowing it to propagate to other exposed Docker instances without relying on a traditional Command and Control (C2) server.
## Technical Details
- Type: Malware Family (Cryptominer/Worm)
- Platform: Linux Containers (Docker/Containerized Infrastructure), Ubuntu-based running containers
- Capabilities: Initial access via Docker API exploitation, automated scanning/propagation, cryptojacking (Dero currency mining), self-propagation between hosts.
- First Seen: Observed around May 27, 2025 (based on article date).
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described behaviors.*
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- T1190.004 - API
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Inferred via modifying shell profile for execution)
- **TA0005 - Defense Evasion**
- T1036 - Masquerading
- T1036.005 - Match Legitimate Name or Location (Using "nginx" name)
- **TA0007 - Discovery**
- T1046 - Network Service Scanning
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Implied via communication, though primary spread is internal container interaction)
- **TA0018 - Impact**
- T1496 - Resource Hijacking (Cryptojacking)
## Functionality
### Core Capabilities
- **Exploitation:** Gains initial access by leveraging insecurely published Docker APIs.
- **Cryptojacking:** Runs the Dero cryptocurrency miner (`cloud` payload), based on the open-source DeroHE CLI miner, to hijack victim resources.
- **Propagation Mechanism:** Utilizes a component named "nginx" to scan the internet for other exposed Docker APIs (specifically looking for port 2375).
- **Worm-like Spread:** After successful infection, it executes external scans (using deployed `masscan`) via new malicious containers to infect other susceptible Docker instances.
### Advanced Features
- **Masquerading:** The propagation malware is deliberately named "nginx" to mimic the legitimate web server.
- **Containerization for Infection:** Launches malicious containers on the remote target to install necessary dependencies (`apt-get update`), deploy scanner tools (`masscan`, `docker.io`), and transfer both payloads.
- **Persistence:** Adds the "nginx" binary to the `/root/.bash_aliases` file to ensure execution upon shell login in the compromised container.
- **C2-less Operation:** The propagation and execution mechanism is reportedly self-contained, operating without a centralized C2 server.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: `nginx` (propagation binary, masquerading as web server), `cloud` (Dero miner)
- Registry Keys: [Not applicable/Not specified for Linux containers]
- Network Indicators: Scans targeting TCP/UDP port **2375** (default exposed Docker API port).
- Behavioral Indicators: Execution of `docker -H PS` command remotely; use of `docker -H cp` to transfer binaries into the remote container; modification of `/root/.bash_aliases` within the container environment.
## Associated Threat Actors
- Unidentified threat actor (Observed by Kaspersky).
[Note: The activity shows overlap with previous Dero mining campaigns documented by CrowdStrike (March 2023) and Wiz (June 2024), suggesting potential reuse of infrastructure or previous actor evolution.]
## Detection Methods
- Signature-based detection: Detection of the Golang-compiled binaries "nginx" and "cloud".
- Behavioral detection: Monitoring for unusual network scans originating from inside containers, exploitation attempts against the Docker API port 2375, and execution of `docker` commands from non-standard processes within containers.
- YARA rules: [Not specified in the article]
## Mitigation Strategies
- **API Exposure:** Ensure the Docker API is **not** exposed directly to the public internet or untrusted networks. Use secure methods like TLS/certificates or SSH tunneling for remote Docker management.
- **Least Privilege:** Run containers using the least privilege necessary, avoiding root execution where possible.
- **Network Segmentation:** Strictly segment containerized environments.
- **Source Trust:** Avoid pulling images or installing software from unknown or untrusted sources.
## Related Tools/Techniques
- **DeroHE CLI miner:** The open-source base for the mining component.
- **Masscan:** Deployed within infected containers for continued network scanning and worming capability.
- **AhnLab Campaign:** A separate, mentioned campaign deploying a Monero miner and a backdoor utilizing the P2P **PyBitmessage** protocol (Tactic/Technique unrelated to the Docker worm, but mentioned in the context of concurrent threat activity).