Cetus Malware Description
The Cetus Malware is a Docker crypto-jacking worm discovered by the researchers at Palo Alto Networks. This new malware threat specializes in attacking Docker daemons to deploy a Monero-mining payload. The name Cetus given to the malware was taken from the Ancient Greek whale-like sea monster.
At the beginning of the attack, the Cetus Malware impersonates a legitimate binary called Portainer, a UI (User Interface) tool used to manage multiple Docker environments. Upon successful infiltration, the malware threat copies itself on the targeted device and deploys its payload - an XMRig cryptominer payload that uses the victim's CPU to mine for the Monero cryptocurrency. The payload is also disguised as docker-cache, a legitimate binary but not a real one. To start the miner, the Cetus Malware executes the function 'miner_start,' which opens '/var/log/stmp.log to track the malware's actions and then initiates the XMRig crypto miner.
The only other function of the Cetus Malware is called 'scan_start,' and it is responsible for the propagation of the malware. It uses Masscan to scan a random 16-bit subnet for Docker daemons on port 2375. The Cetus Malware then employs a Docker Command Line Interface (CLI) tool to send requests detected daemon's REST API to spread the infection.
Every infected container is assigned a different name by the Cetus Malware. To do so, the malware threat uses two tables with eight names each: baleful, boorish, zealous, verdant, risible, limpid, fecund, and adroit in the first table, and gormmet, obelus, agelast, peristeronic, oxter, quire, hirquiticke, and amatorculist in the other. The malware takes one name from each table and combines to create a unique name for the container. The same name also is used as an identification for the miner payload on the mining pool and as a way for the attacker to monitor each active miner's operations.
Among the commands that Cetus Malware runs, it uses docker -H ps -a to check if the targeted daemon is vulnerable and hasn't been infected already. The malware threat achieves persistence by adding itself to 'root/ .bash_aliases,' which ensures that Cetus is executed every time the container restarts.
It should be noted that the same Monero address used by Cetus also has been in use by another crypt-jacking worm that targets Amazon Web Services (AWS) and Docker daemons, called Graboid.