Dero miner spreads inside containerized Linux environments

May 22, 2025, 9:51 a.m.

Description

A new Dero mining campaign is infecting containerized Linux environments through exposed Docker APIs. The attack uses two Golang malware components: 'nginx' for propagation and 'cloud' for mining. The 'nginx' malware scans for vulnerable Docker hosts, creates malicious containers, and compromises existing ones. It maintains persistence and spreads without a command-and-control server. The 'cloud' component is a modified DeroHE CLI miner with hardcoded wallet and node addresses. This campaign demonstrates the potential risks of insecurely published Docker APIs and the need for robust container security measures.

External References

https://securelist.com/dero-miner-infects-containers-through-docker-api/116546
https://otx.alienvault.com/pulse/682e5bbbcf6c65b71fba1504
Tags
linux
persistence
cloud
docker
cryptocurrency mining
container security
nginx
2025-05-21
dero
golang malware
port scanning

Date

  • Created: May 21, 2025, 11:03 p.m.
  • Published: May 21, 2025, 11:03 p.m.
  • Modified: May 22, 2025, 9:51 a.m.

Indicators

  • e4aa649015b19a3c3350b0d897e23377d0487f9ea265fe94e7161fed09f283cf
  • h.windowsupdatesupport.link
  • d.windowsupdatesupport.link
Download all indicators here!

Attack Patterns

  • Dero