Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach
Oct. 22, 2024, 9:54 a.m.
Tags
External References
Description
A malicious actor has been observed targeting Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency. The attacker utilizes the gRPC protocol over h2c (clear text HTTP/2 protocol) to evade security measures and execute cryptomining operations on Docker hosts. The attack process involves checking Docker API availability, requesting gRPC/h2c upgrades, and using gRPC methods to manipulate Docker functionalities. The attacker then downloads and deploys SRBMiner from GitHub, initiating mining to their cryptocurrency wallet and public IP address. This exploitation of Docker's remote management APIs highlights the importance of proper configuration and security measures in containerized environments.
Date
Published: Oct. 22, 2024, 9:18 a.m.
Created: Oct. 22, 2024, 9:18 a.m.
Modified: Oct. 22, 2024, 9:54 a.m.
Indicators
0d4eb69b551cb538a9a4c46f7b57906a47bcabb8ef8a5d245584fbba09fc5084
59.93.45.16
Attack Patterns
SRBMiner
T1610
T1016.001
T1071.001
T1105
T1496
T1190
T1133