Connect with us

Hi, what are you looking for?



‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts

Palo Alto Networks’ security researchers have identified what appears to be the first crypto-jacking worm that spreads using Docker containers.

Palo Alto Networks’ security researchers have identified what appears to be the first crypto-jacking worm that spreads using Docker containers.

Dubbed Graboid, the malware is being downloaded from command and control (C&C) servers and has been designed to mine for the Monero cryptocurrency. To spread, the worm periodically queries the C&C for vulnerable hosts and picks the next target at random.

The security researchers also discovered that, on average, each miner is active 63% of the time, with the mining periods being of 250 seconds.

During their investigation, the researchers found over 2,000 Docker engines exposed to the Internet that lack authentication, thus allowing a malicious actor to take full control of the Docker Engine (Community Edition) and the host.

As part of the attack, the threat actor was able to compromise an unsecured Docker daemon, after which they ran the malicious container from Docker Hub, fetched scripts and a list of vulnerable hosts from the C&C, and then repeated the operation to move to the next target.

Graboid includes both worm-spreading and crypto-jacking capabilities. On each iteration, it randomly picks three targets, installs the worm on the first, stops the miner on the second, and starts it on the third, which results in a random mining behavior.

The malicious container does not start immediately after the host is compromised. Instead, it waits for another compromised host to start the mining process. Additionally, it is possible for a different host to randomly stop the mining process.

Advertisement. Scroll to continue reading.

“Essentially, the miner on every infected host is randomly controlled by all other infected hosts. The motivation for this randomized design is unclear. It can be a bad design, an evasion technique (not very effective), a self-sustaining system or some other purposes,” Palo Alto Networks explains.

The malicious Docker image (pocosow/centos) has been downloaded more than 10,000 times from Docker Hub, the security researchers say. The crypto-jacking container the worm deploys (gakeaws/nginx) has been downloaded over 6,500 times.

The researchers also discovered that the same user (gakeaws) published a second crypto-jacking image, called gakeaws/mysql, which has an identical content to gakeaws/nginx.

The cryptojacking worm “can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored. If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts,” Palo Alto Networks concludes.

Related: Docker Vulnerability Gives Arbitrary File Access to Host

Related: Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...