Attackers Cryptojacking Docker Images
to Mine for Monero
Palo Alto Networks Team
June 29, 2020
containers have been gaining popularity over the past few years as an
effective way of packaging software applications. Docker Hub provides a
strong community-based model for users and companies to share their
software applications. This is also attracting the attention of
malicious actors intending to make money by cryptojacking within Docker
containers and using Docker Hub to distribute these images.
We identified a malicious
Docker Hub account,
active since October 2019 that was hosting six malicious images intended
to mine the cryptocurrency, Monero. The coin mining code within the
image intends to evade network detection by using network anonymizing
tools such as ProxyChains and Tor. The images hosted on this account
have been collectively pulled more than two milliontimes. For context, there are legitimate Azure
related images under the official Microsoft Docker Hub account that have
anywhere from a few thousand to 100 million+ pulls. One of the wallet
IDs identified has been used to earn more than 525.38 XMR, which roughly
translates to $36,000 USD. Additionally, when we last checked
minexmr.com for this wallet ID, we saw recent activity indicating that
it’s still being used.
We would like to give a
shout out to the awesome security team at Docker Hub. They were very
responsive and were able to take down this malicious Docker Hub account
quickly in response to our notification.
Palo Alto Networks
customers are protected by this threat through Threat Prevention
signatures on the Next-Generation Firewall. Prisma Cloud customers are
protected by this through the
Trusted Images feature.
We have identified a
Docker Hub community user account named
that contained eight repositories hosting six malicious Monero mining
images. Here is a screenshot of the account and its repositories.
Figure 1. Malicious
docker images on Docker Hub
Table 1, below, provides
a summary of all the images found under this Docker Hub account, listed
in descending order of their pull counts. It is worth noting that the
top image was pulled more than 1.47 million
Table 1. Summary of images
found on the Docker Hub account
Docker Image Structure
To understand how the
image is built, we reviewed the image structure of the image
/227_135:442. The image is built in the following sequence of
Use Ubuntu 16.04.6
LTS as the “base image”.
required for building from source, such as gcc, make, python, etc.
to anonymize traffic. It is configured to listen on its default
Copy the source of
and build from source. The ProxyChains config is left as default to
route its traffic through the local Tor SOCKS proxy connection.
defaults set to "tor"
Copy the source of
the mining software,
and build from source.
Copy a custom python
dao.py and set it as the image’s Entrypoint.
Figure 2, below,
demonstrates this sequence.
Figure 2. Image build
The author of these
images has included a custom Python script called dao.py, which is
responsible for starting the mining process within the container, and
was included in all the images.
As mentioned earlier,
this script is registered as the Entrypoint in the image so that as soon
as the image is started, this script will run.
All the Docker images
mentioned in Table 1 contain some variant of this
script. The only difference between the dao.py scripts in these images
is that they use a different XMRig command line invocation. The
different XMRig command line invocations are listed in Table 2.
High-level execution flow
Find the number of
CPU cores on the system.
Set hugepages system
property to increase the hash rate.
Symlink the XMRig
binary (“dlls”) under
Start Tor in the
Launch the miner
through proxychains, which in turn routes the miner traffic through
the local Tor SOCKS proxy as described earlier. A list of all the
different mining commands used across the different
versions is included in Table 2.
Command to start the miner using proxychains
The script’s execution
workflow is also demonstrated in Figure 5 below.
Table 2. Different mining
commands used in the dao.py scripts
Cryptomining is about
solving a complex computational problem, which allows users to chain
together blocks of transactions. These images are utilizing the
processing power of the victim systems to verify transactions. Here, the
image author is using two methods to mine the blocks by running these
malicious images in the user’s environment.
In the first method, the
attacker is directly submitting the mined blocks to the central minexmr
pool using a wallet ID.
Docker containers provide
a convenient way for packaging software, which is evident by its
increasing adoption rate. This combined with coin mining makes it easy
for a malicious actor to distribute their images to any machine that
supports Docker and instantly start using its compute resources towards
Palo Alto Networks
Next-Generation Firewall customers subscribed for Threat Prevention are
protected by this threat. Palo Alto Networks has released a Threat
Signature to prevent network based delivery of the malicious images
identified in this blog. Details of this signature are:
Coin Mining Docker
Table 3. Signature
description for NGFW coverage
In addition, security
best practices are recommended such as:
Avoid pulling or
using base images from untrusted repositories.
latest apps and threat definitions on the Palo Alto Networks
Networks Prisma Cloud can be used to secure cloud deployments.