Graboid

Most cryptojacking worms are propagated via torrents, malvertising campaigns, bogus downloads and other popular methods. However, some cyber crooks opt to utilize more creative infection vectors. Such is the case with the Graboid cryptojacking worm. The authors of the Graboid worm are spreading this threat using unsecured containers, in this instance, Docker.

Most Victims are Located in China

The creators of this cryptojacking worm are not targeting a certain class of people or a specific industry or business type. However, most of the victims of the Graboid worm are located in China. It has been determined that there are likely more than 10,000 victims so far. The purpose of the Graboid cryptojacking worm is to infect a system and hijack its resources to mine the Monero cryptocurrency.

By default, Docker does not have ports open for remote access over the Internet. Therefore, it may be the case that those users who are infected by the Graboid worm have configured the application incorrectly and thus have left themselves open for compromise.

How the Attack is Carried Out

After a system has been compromised, the worm will download several bash scripts that have a range of features for specific purposes, and act to ensure the worm behavior is truly random. The first file, which the Graboid worm deploys, consists of a list containing IP addresses that are vulnerable and can be compromised by the threat. The operators of the Graboid cryptojacking worm are provided with information about the victim’s system, the CPU specifically. This is accomplished by using a ‘live.sh’ script. Another script named ‘cleanxmr.sh’ is responsible for picking one of the vulnerable IP addresses, which are listed in the ‘worm.sh’ file. Next, the worm looks for any other crypto-mining software or other potential crypto-jackers (not linked to the Graboid worm), which may be present on the infected machine. If any are detected, the Graboid worm will make sure to halt their activities to ensure that no other application is harvesting the CPU resources. In the final step, a script called ‘xmr.sh’ plants the Monero mining module on the host.

Malware analysts have not been able to determine why the creators of this crypto-jacking worm have randomized the intervals of mining activity as there are no apparent pros to this approach; on the contrary, it affects the effectiveness of the miner negatively.

However, it is clear why the attackers have chosen to propagate the Graboid worm via Docker containers. This is not an unknown approach, and cyber crooks tend to opt for this method because anti-virus software often tends to give containers like Docker a ‘carte blanche.’ Hopefully, in the future, anti-malware solutions will be more vigilant when dealing with containers.