A novel malware marketing campaign focusing on containerized infrastructures has emerged, exploiting insecurely uncovered Docker APIs to unfold malicious containers and mine Dero cryptocurrency.
Dubbed a “Docker zombie outbreak” by cybersecurity researchers at Kaspersky, this assault leverages a self-replicating propagation mechanism to rework compromised containers into “zombies” that mine cryptocurrency and infect new victims.
The marketing campaign, detected throughout a latest compromise evaluation, showcases an alarming diploma of automation, requiring no command-and-control (C2) server because it spreads exponentially throughout weak networks worldwide.
A New Risk in Containerized Environments
The assault begins when a menace actor exploits an uncovered Docker API, usually over port 2375, to realize entry to a containerized surroundings.
As soon as inside, two Golang-based, UPX-packed malware implants are deployed: a propagation malware masquerading as “nginx” (detected as Trojan.Linux.Agent.gen) and a Dero cryptocurrency miner named “cloud” (detected as RiskTool.Linux.Miner.gen).
The nginx malware is the orchestrator, making certain persistence and propagation by logging actions in “/var/log/nginx.log” and sustaining a model marker in “/usr/bin/model.dat” to determine contaminated containers.
It relentlessly scans random IPv4 /16 subnets utilizing the masscan instrument to find different weak Docker APIs, creates new malicious containers with names of 12 random characters, and compromises present Ubuntu 18.04-based containers on distant hosts.
Every new container is provided with dependencies like masscan and docker.io, and the malware implants are copied over to maintain the an infection cycle.
Automated An infection Chain Unleashes Chaos
The cloud miner, derived from the open-source DeroHE CLI challenge, operates with hardcoded, encrypted configurations, together with a pockets handle (dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y) and derod node addresses (d.windowsupdatesupport[.]hyperlink and h.wiNdowsupdatesupport[.]hyperlink), decrypted by way of AES-CTR throughout execution.
This miner hijacks the host’s assets for Dero mining whereas nginx ensures its steady operation by restarting it if interrupted.
In contrast to earlier campaigns focusing on Kubernetes clusters with stealthy ways, this assault prioritizes aggressive lateral motion, scanning and infecting new networks with out hesitation.
Shodan information from April 2025 reveals 520 uncovered Docker APIs globally, underscoring the huge potential for destruction posed by this menace.
The absence of a C2 server makes this marketing campaign notably insidious, because it operates autonomously, relying solely on the supply of insecure Docker APIs to propagate.
In response to the Report, Kaspersky emphasizes the significance of sturdy monitoring and proactive menace searching to fight such assaults, recommending instruments like Kaspersky Container Safety to detect misconfigurations and monitor registry photographs.
As containerized environments turn out to be more and more prevalent, this Docker zombie malware serves as a stark reminder that runtime safety is simply as crucial as constructing from trusted photographs.
Organizations should prioritize securing their Docker APIs and implementing complete safety methods to forestall falling sufferer to this self-replicating digital plague.
Indicators of Compromise (IoC)
| Kind | Worth |
|---|---|
| File Hash (nginx) | 094085675570A18A9225399438471CC9 |
| File Hash (cloud) | 14E7FB298049A57222254EF0F47464A7 |
| File Path | /usr/bin/nginx, /usr/bin/cloud, /var/log/nginx.log, /usr/bin/model.dat |
| Derod Node Addresses | d.windowsupdatesupport[.]hyperlink, h.wiNdowsupdatesupport[.]hyperlink |
| Dero Pockets Handle | dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y |
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, & X to Get Prompt Updates!
