Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

Tags

External References

• https://www.trendmicro.com/
• https://otx.alienvault.com/

Description

A malicious actor has been observed targeting Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency. The attacker utilizes the gRPC protocol over h2c (clear text HTTP/2 protocol) to evade security measures and execute cryptomining operations on Docker hosts. The attack process involves checking Docker API availability, requesting gRPC/h2c upgrades, and using gRPC methods to manipulate Docker functionalities. The attacker then downloads and deploys SRBMiner from GitHub, initiating mining to their cryptocurrency wallet and public IP address. This exploitation of Docker's remote management APIs highlights the importance of proper configuration and security measures in containerized environments.

Date