Grab what now? Graboid!

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite

LIVEcommunity draws your attention to Unit 42's recent article, Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub. Reaper dives into what the cryptojacking worm called Graboid is and how it can impact your business. Got questions? Get answers on LIVEcommunity!



Cryptojacking worm activity overview provided by Unit 42.Cryptojacking worm activity overview provided by Unit 42.


So what is Graboid?

It's a cryptojacking worm that spreads using containers in the Community Edition of the Docker Engine. Because many endpoint protection software tools do not inspect activity inside containers, detection can be difficult.


And what does this mean?

An attacker could gain an initial foothold by targeting unsecured Docker daemons (the service that runs Docker containers), and then installing a Docker image (downloaded through Command and Control (C2) servers) on the compromised host. This is the 'jacking' part.

Once the malware is deployed, it will start mining for Monero crypto currency (like Bitcoin, but different). This is the 'crypto' part.

The malware will occasionally call home through the C2 servers and query for new vulnerable hosts to randomly spread the worm to. This is the Graboid movie reference part.


From the Unit 42 analysis, on average, each miner is active 63% of the time and mines for about 250 seconds at a time. This could help evade detection as it will diffuse the load of mining over time.


The Docker team, working with Unit 42, quickly removed the malicious images after being alerted to their existence.


How do I protect myself?

  • Never expose a docker daemon to the internet without a proper authentication mechanism. Note that, by default, the Docker Engine (CE) is NOT exposed to the internet.
  • Use UNIX socket to communicate with Docker daemon locally or use SSH to connect to a remote docker daemon.
  • Use firewall rules to whitelist the incoming traffic to a small set of sources.
  • Never pull Docker images from unknown registries or unknown user namespaces.
  • Frequently check for any unknown containers or images in the system.
  • Cloud security solutions such as Prisma Cloud or Twistlock can identify malicious containers and prevent cryptojacking activities.


For more detailed information on Unit 42 findings, including which scripts do what, and how to detect if you've been compromised, check out the full article here: Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub.

Register or Sign-in
About the Author
I drink and I know things
Top Liked Authors