30 malicious Docker images was downloaded 20 million times

When security researchers from the Paloalto Networks studied the images hosted on Docker Hub, they found that at least 30 container images contained Monero mining software.

When users download and use these container images, the mining software included in them will start, and then use the computing performance of the user’s device to mine Monero coins.

But hackers are not only mining Monero, but also cryptocurrencies called GRIN and ARO. These cryptocurrencies are anonymous coins that are relatively difficult to track.

Docker Hub is the world’s largest container application library. Docker company publishes images here and allows other developers to share their own images, etc.

Surprisingly, these malicious container images containing mining software have been downloaded more than 20 million times, and the images have been released for more than two years.

Hackers add inducing keywords such as Proxy, GGCloud, and Docker to the name of the malicious container, which can induce users to download and install.

Image: paloaltonetworks

It is worth noting that these malicious containers have very high downloads and ratings and are ranked relatively high, so users are likely to be misled downloads when searching through keywords.

However, it should be noted that there are far more than 30 malicious container images containing mining software, but there are two malicious container images that have been downloaded more than 20 million times.

Researchers found that there are at least 30 containers with mining software, and they should come from two different hacking teams. The two hacking teams registered multiple accounts to release containers.

After the release of the security report, one of the hacking teams has withdrawn the malicious image, but the malicious image of the other hacking team is still available for users to download and install.

Although private currencies such as Monero cannot track the transfer of account amounts, it is possible to check the income obtained from the corresponding mining operation through the wallet address and mining pool.

After checking, the researchers found that the value of the cryptocurrency received by the hacker’s wallet address was about $200,000, which is indeed a profitable business for the hacker.

In addition, the researchers also found that hackers added multiple operating systems and microarchitecture tags to the released images, which can attract more users to download and install.

The researchers said that this cloud-based cryptojacking operation is just an example, and the researchers believe that other platforms besides Docker Hub also have such malicious containers.

If the developer of the container you downloaded is azurenql, 021982, dockerxmrig, ggcloud1, and ggcloud2,… it is a malicious container.