- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
LIVEcommunity draws your attention to Unit 42's recent article, Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub. Reaper dives into what the cryptojacking worm called Graboid is and how it can impact your business. Got questions? Get answers on LIVEcommunity!
It's a cryptojacking worm that spreads using containers in the Community Edition of the Docker Engine. Because many endpoint protection software tools do not inspect activity inside containers, detection can be difficult.
An attacker could gain an initial foothold by targeting unsecured Docker daemons (the service that runs Docker containers), and then installing a Docker image (downloaded through Command and Control (C2) servers) on the compromised host. This is the 'jacking' part.
Once the malware is deployed, it will start mining for Monero crypto currency (like Bitcoin, but different). This is the 'crypto' part.
The malware will occasionally call home through the C2 servers and query for new vulnerable hosts to randomly spread the worm to. This is the Graboid movie reference part.
From the Unit 42 analysis, on average, each miner is active 63% of the time and mines for about 250 seconds at a time. This could help evade detection as it will diffuse the load of mining over time.
The Docker team, working with Unit 42, quickly removed the malicious images after being alerted to their existence.
For more detailed information on Unit 42 findings, including which scripts do what, and how to detect if you've been compromised, check out the full article here: Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
3 Likes | |
3 Likes | |
2 Likes |
User | Likes Count |
---|---|
12 | |
4 | |
3 | |
3 | |
2 |