Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

Oct. 22, 2024, 9:54 a.m.

Description

A malicious actor has been observed targeting Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency. The attacker utilizes the gRPC protocol over h2c (clear text HTTP/2 protocol) to evade security measures and execute cryptomining operations on Docker hosts. The attack process involves checking Docker API availability, requesting gRPC/h2c upgrades, and using gRPC methods to manipulate Docker functionalities. The attacker then downloads and deploys SRBMiner from GitHub, initiating mining to their cryptocurrency wallet and public IP address. This exploitation of Docker's remote management APIs highlights the importance of proper configuration and security measures in containerized environments.

Date

Published: Oct. 22, 2024, 9:18 a.m.

Created: Oct. 22, 2024, 9:18 a.m.

Modified: Oct. 22, 2024, 9:54 a.m.

Indicators

0d4eb69b551cb538a9a4c46f7b57906a47bcabb8ef8a5d245584fbba09fc5084

59.93.45.16

Attack Patterns

SRBMiner

T1610

T1016.001

T1071.001

T1105

T1496

T1190

T1133