BusinessDrinksEntertainmentFashion

Privacy Crypto Dero Targeted With New Self-Spreading Malware

A new Linux malware campaign targeting unsecured Docker infrastructure is leveraging exposed Docker APIs (port 2375) to create a decentralized cryptojacking network mining the privacy coin Dero (DERO). Cybersecurity firm Kaspersky details the attack’s methodology, highlighting its unique characteristics and resilience.

The attack begins with the exploitation of publicly accessible Docker APIs. Once compromised, the malware deploys two Golang-based implants: “nginx,” disguising itself as legitimate web server software, and “cloud,” the actual Dero mining software. The “nginx” implant actively scans for additional vulnerable Docker nodes using tools like Masscan, effectively creating a self-propagating network. This autonomous behavior, described as a “zombie container outbreak,” eliminates the need for a central command server, significantly increasing the campaign’s resilience and making it difficult to contain.

Infected containers siphon system resources for Dero mining while simultaneously searching for and compromising new targets. This decentralized structure distinguishes this campaign from previous cryptojacking operations targeting Kubernetes clusters in 2023 and 2024, although the same wallet and node infrastructure suggests a connection to these earlier attacks. The malware employs encryption of configuration data, including wallet addresses and Dero node endpoints, and utilizes typical system software paths for concealment, enhancing its stealth capabilities.

The absence of a central control server makes eradication challenging. Authorities must address the root cause: the widespread exposure of Docker APIs. Kaspersky’s findings reveal over 520 publicly exposed Docker APIs (port 2375) globally as of early May, representing significant vulnerabilities. Improved security practices, including restricting Docker API access and regularly updating systems, are crucial in mitigating the risk of such attacks. The campaign’s self-replicating nature underscores the need for proactive security measures and highlights the evolving threat landscape in the context of decentralized cryptojacking operations.

Leave a Reply

Your email address will not be published. Required fields are marked *