New Cryptojacking Campaign Exploits Docker with Advanced Evasion Techniques

A newly discovered cryptojacking campaign is targeting Docker environments using sophisticated evasion techniques to deploy cryptocurrency miners undetected. Researchers from Darktrace and Cado Security identified the malware, which leverages Docker API endpoints and Swarm orchestration to create a botnet for illicit mining operations¹. The attackers use Alpine containers to deploy the XMRig miner while hiding processes using the libprocesshider rootkit².

Technical Analysis of the Attack Chain

The campaign begins with mass scanning for exposed Docker APIs on ports 2375-2377 and 4243-4244 using tools like masscan and zgrab³. Once access is gained, the malware deploys scripts such as kube.lateral.sh and spread_docker_local.sh to move laterally across Docker, Kubernetes, and SSH hosts. The attackers establish persistence by adding SSH backdoors to authorized_keys files and stealing cloud credentials from AWS and Google Cloud environments⁴.

One notable aspect of this campaign is its use of Docker Hub tags hosted on attacker-controlled servers for command and control (C2) communications. This approach provides flexibility and resilience against takedowns. The malware also forces compromised hosts into a malicious Docker Swarm cluster, allowing centralized control over the mining operation⁵.

Evasion and Detection Challenges

The malware employs several techniques to avoid detection, including process hiding from common monitoring tools like top and ps. Researchers found the attackers using deobfuscation methods to conceal their activities, making traditional signature-based detection ineffective⁶.

Security teams should be aware of the following indicators of compromise:

Unexpected Alpine container deployments
Unusual network traffic to Teneo infrastructure
Unauthorized Docker Swarm joins
Modifications to authorized_keys files

Mitigation and Defense Strategies

Organizations running Docker environments should implement several defensive measures. First, secure Docker APIs by enforcing authentication and implementing firewall rules to restrict access. Monitoring Swarm activity for unauthorized joins or orchestration changes is critical for early detection⁷.

Regular patching of Docker, Kubernetes, and SSH services should be prioritized. Security teams should also monitor for unexpected container deployments and network connections to known cryptomining pools. Implementing runtime protection solutions that can detect process hiding techniques would provide additional defense against this threat⁸.

Attribution and Broader Implications

While not conclusively proven, researchers suspect ties to the known cryptojacking group TeamTNT based on similarities in tactics, techniques, and procedures (TTPs)⁹. This campaign represents an evolution in cloud-targeting malware, demonstrating attackers’ increasing sophistication in abusing container orchestration systems.

The discovery of this campaign highlights the ongoing risks of improperly secured cloud and container environments. As organizations continue to adopt containerization, attackers are developing more advanced methods to exploit these technologies for financial gain. This trend is likely to continue as cryptocurrency values fluctuate and attackers seek new revenue streams¹⁰.