Dero miner zombies biting through Docker APIs to build a cryptojacking horde

May 21, 2025, 10:13 p.m.

Description

A new Dero mining campaign exploits insecurely published Docker APIs to spread through containerized Linux environments. The attack uses two Golang malware implants: 'nginx' for propagation and 'cloud' for cryptocurrency mining. The 'nginx' malware scans for vulnerable Docker APIs, creates malicious containers, and compromises existing ones. It maintains persistence and spreads without a command-and-control server. The 'cloud' miner is based on the open-source DeroHE CLI project, with hardcoded wallet and node addresses. This campaign differs from previous attacks on Kubernetes clusters by actively spreading and compromising more networks. The threat highlights the importance of securing containerized infrastructures and monitoring for malicious activities.

External References

https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/
https://otx.alienvault.com/pulse/682ddf774e05b30a8adbf3b4
Tags
linux
cloud
exploitation
docker
cryptocurrency mining
nginx
2025-05-21
dero
containerized environments
golang malware

Date

  • Created: May 21, 2025, 2:13 p.m.
  • Published: May 21, 2025, 2:13 p.m.
  • Modified: May 21, 2025, 10:13 p.m.

Indicators

  • e4aa649015b19a3c3350b0d897e23377d0487f9ea265fe94e7161fed09f283cf
  • h.windowsupdatesupport.link
  • d.windowsupdatesupport.link
Download all indicators here!

Attack Patterns