Dero miner spreads inside containerized Linux environments

SUMMARY :

A new Dero mining campaign is infecting containerized Linux environments through exposed Docker APIs. The attack uses two Golang malware components: 'nginx' for propagation and 'cloud' for mining. The 'nginx' malware scans for vulnerable Docker hosts, creates malicious containers, and compromises existing ones. It maintains persistence and spreads without a command-and-control server. The 'cloud' component is a modified DeroHE CLI miner with hardcoded wallet and node addresses. This campaign demonstrates the potential risks of insecurely published Docker APIs and the need for robust container security measures.

OPENCTI LABELS :

cloud,linux,docker,cryptocurrency mining,persistence,container security,nginx,golang malware,dero,port scanning


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Dero miner spreads inside containerized Linux environments