The use of a container with a legitimate name greatly increased the secrecy of criminals.
Cybersecurity researchers have warned of a new cryptojacking campaign targeting misconfigured Kubernetes clusters to mine the Dero cryptocurrency.
Cloud security company Wiz said this is an update to a financially motivated operation first documented by CrowdStrike in March 2023.
“In this incident, the attacker used anonymous access to an internet-connected cluster to launch malicious container images hosted on Docker Hub, some of which were downloaded more than 10,000 times,” Wiz researchers reported. "These images contain a UPX-packaged DERO miner called 'pause'."
Primary access is through externally exposed Kubernetes API servers with anonymous authentication enabled to deliver the miner payload.
Unlike the 2023 version, which used a DaemonSet called "proxy-api", the new version uses seemingly innocuous DaemonSets called "k8s-device-plugin" and "pytorch-container" to run the miner on all cluster nodes .
The idea behind the container name "pause" is to try to pass it off as a real "pause" container, which is used to initially set up the pod and provide network isolation.
The cryptocurrency miner is an open-source binary written in Go that has been modified to hard-code the wallet address and URLs of Dero's user mining pools. It is also hidden using a UPX packer to complicate the analysis.
The main advantage of embedding the mining configuration into the code is the ability to run the miner without any command line arguments, which are usually controlled by security mechanisms.
Wiz also identified additional tools developed by the attacker, including a Windows sample of a UPX-packed Dero miner, as well as a dropper script designed to terminate the processes of competing miners on the infected host and install GMiner from GitHub.
“The attacker registered domains with innocent names to avoid suspicion and better fit into legitimate web traffic, while masking communications with known mining pools,” the researchers noted.
“These combined tactics demonstrate an attacker’s desire to adapt their techniques and outpace defense mechanisms.”
Cybersecurity researchers have warned of a new cryptojacking campaign targeting misconfigured Kubernetes clusters to mine the Dero cryptocurrency.
Cloud security company Wiz said this is an update to a financially motivated operation first documented by CrowdStrike in March 2023.
“In this incident, the attacker used anonymous access to an internet-connected cluster to launch malicious container images hosted on Docker Hub, some of which were downloaded more than 10,000 times,” Wiz researchers reported. "These images contain a UPX-packaged DERO miner called 'pause'."
Primary access is through externally exposed Kubernetes API servers with anonymous authentication enabled to deliver the miner payload.
Unlike the 2023 version, which used a DaemonSet called "proxy-api", the new version uses seemingly innocuous DaemonSets called "k8s-device-plugin" and "pytorch-container" to run the miner on all cluster nodes .
The idea behind the container name "pause" is to try to pass it off as a real "pause" container, which is used to initially set up the pod and provide network isolation.
The cryptocurrency miner is an open-source binary written in Go that has been modified to hard-code the wallet address and URLs of Dero's user mining pools. It is also hidden using a UPX packer to complicate the analysis.
The main advantage of embedding the mining configuration into the code is the ability to run the miner without any command line arguments, which are usually controlled by security mechanisms.
Wiz also identified additional tools developed by the attacker, including a Windows sample of a UPX-packed Dero miner, as well as a dropper script designed to terminate the processes of competing miners on the infected host and install GMiner from GitHub.
“The attacker registered domains with innocent names to avoid suspicion and better fit into legitimate web traffic, while masking communications with known mining pools,” the researchers noted.
“These combined tactics demonstrate an attacker’s desire to adapt their techniques and outpace defense mechanisms.”
