The newly discovered Linux malware campaign is compromising on unsecured Docker infrastructure around the world, turning exposed servers into part of a decentralized cryptojacking network that mines privacy coin Dero.
According to a report by cybersecurity company Kaspersky, the attack begins by leveraging the Docker API, which is publicly exposed on port 2375. Once access is obtained, the malware generates a malicious container. Infects what is already running, sucks up system resources and scans and scans additional targets without the need for a central command server.
In software terminology, Docker is a set of applications or platform tools and products that use OS-level virtualization to deliver software in small packages called containers.
The threat actors behind the operation deployed two Golang-based implants. One is the name “nginx” (a deliberate attempt under the guise of legitimate web server software) and the other called “cloud”, the actual mining software used to generate DEROs.
Once the host was compromised, the NGINX module used tools such as MassCan to identify targets and continuously scan the internet for more vulnerable Docker nodes to deploy new infection containers.
“The whole campaign behaves like a zombie container occurrence,” the researchers wrote. “One of the infected nodes autonomously creates new zombies to mine and expand the Dero and do not require external control.
To avoid detection, it encrypts configuration data such as wallet addresses and DERO node endpoints and hides itself under the path normally used by legitimate system software.
Kaspersky identifies the same wallet and node infrastructure used in previous cryptojacking campaigns targeting Kubernetes clusters in 2023 and 2024, demonstrating the evolution of known operations rather than brand new threats.
However, in this case, the use of self-spraying worm logic and the lack of a central command server makes it particularly resilient and difficult to shut down.
As of early May, over 520 Docker APIs were published worldwide on port 2375. Each is a potential target.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
