Crypto locker worm
“While this cryptojacking worm doesn’t involve sophisticated tactics, techniques or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored,” they wrote. The cryptojacking effort itself is not as efficient nor as effective as it could be, according to Unit 42 researchers (much like the graboids in Tremors, “it moves in short bursts of speed, but overall is relatively inept,” they said) – but the malware does pave the way for more destructive attacks down the road. Further, each miner is active 63 percent of the time and each mining period lasts for 250 seconds so, in the simulation, researchers showed that there are an average of 900 active miners at any time given a compromised cluster of 1,400 hosts. In a worm simulation using a potential victim pool of 2,000, the researchers found that the worm can reach 70 percent of them (1,400 vulnerable hosts) in about an hour. The live.sh script sends the number of available CPUs on the compromised host to the C2 worm.sh is responsible for choosing a new vulnerable host to infect cleanxmr.sh chooses an infected host to stop cryptojacking on xmr.sh starts the mining on an infected host and cleanxmr.sh stops the cryptojacking container as well as any third-party XMRig-based containers that are present. The downloaded scripts are named live.sh, worm.sh, xmr.sh and cleanxmr.sh. The motivation for this randomized design is unclear.”įrom a technical perspective, the entry point script /var/sbin/bash in the pocosow/centos container downloads four shell scripts from the C2 and executes them one by one. Essentially, the miner on every infected host is randomly controlled by all other infected hosts. Other compromised hosts can also randomly stop my mining process. Instead, I have to wait until another compromised host picks me and starts my mining process. “If my host is compromised, the malicious container does not start immediately.
![crypto locker worm crypto locker worm](https://www.2-viruses.com/wp-content/uploads/2015/02/ae9071d0.jpg)
“This procedure leads to a very random mining behavior,” the researchers explained. Then, it randomly picks three targets, installing the worm on the first target, stopping the miner installed on a second infected host, and starting the miner on a third, also already-infected, target. Once the malicious Docker container is up and running, it downloads four different scripts and a list of vulnerable and infected hosts from one of its 15 command-and-control (C2) servers.
![crypto locker worm crypto locker worm](https://bhaifi.com/blog/content/images/size/w2400/2021/06/what-is-ransomware-attack-4.png)
#Crypto locker worm full
“The malicious actor gained an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host,” the researchers wrote in a Wednesday post, adding that without any authentication or authorization, a malicious actor can take full control of the Docker Engine and the host. Administrators can spot infections by looking for the presence of an image called “gakeaws/nginx” in the image build history. Overall, the initial malicious Docker image has been downloaded more than 10,000 times, with the worm itself downloaded more than 6,500 times, according to Unit 42. The Graboid malware is named after the sandworms in the 1990 Kevin Bacon movie, Tremors. These are located mainly in China and the U.S.
![crypto locker worm crypto locker worm](https://www.cybercureme.com/wp-content/uploads/2019/03/PsMiner.jpg)
The Docker cloud containerization technology is the target for a just-discovered cryptojacking worm dubbed Graboid.Īccording to researchers at Palo Alto’s Unit 42, the worm, which looks to mine the Monero cryptocurrency, has infected more than 2,000 unsecured Docker Engine (Community Edition) hosts so far, which are in the process of being cleaned.