Xulu: Cryptojacking Leveraging Shodan, Tor, and Malicious Docker Container

Earlier this month, we detected a mining botnet that deploys malicious Docker containers on victim hosts by exploiting Docker’s remote API unauthorized Access vulnerability. We have named the botnet “Xulu” because it serves as username in the botnet’s mining.

Xulu is not the first botnet case that aims at Docker; yet it differs from other botnets by not scanning other hosts by itself, instead it utilizes OSINT (open-source intelligence) technique and dynamically searches Shodan for lists of possible preys.

It also placed its controlling server in the Tor network, which is probably an effort to hide the evil backstage manipulator of the botnet.

Malicious Docker Images that Mine Monero

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

This definition from docker.com explains what a docker container is. Nowadays, as microservices continue to gain popularity, more enterprises use containers to deploy applications. Yet their security is often overlooked, and Docker services can become an easy target for exploitation.

When digging into the Xulu botnet event, we noticed that containers with malicious “zoolu2/auto” docker images are created on compromised hosts.

The containers have following processes running:

It is easy to distinguish the mining process

/toolbin/darwin -o us-east.cryptonight-hub.miningpoolhub.com:20580 -u xulu.autodeploy -p x --currency monero -i 0 -c conf.txt -r

Since miningpoolhub .com does not provide public payment data of its users, we do not know how much economic profit the threat actor has earned from cryptojacking.

Botnet Propagation and Persistence

The Xulu botnet propagates itself with OSINT techniques and the Tor network.

To begin with, the botnet uses http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion as control server. The ".onion" suffix indicates that it is an anonymous onion service (a.k.a "hidden service") reachable via the Tor network.

The botnet also runs /toolbin/shodaemon as the main daemon process:

From the script we can see it firstly generates /search.txt by combining content of remote file http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion/shodan.txt and local file /toolbin/hcode.txt .

Each file contains a list of shodan queries, which are then read and sent by /toolbin/shodan:

The queries return host ips with Docker port (2375) open on the Internet. Though not all of them are vulnerable, the threat actor can save a lot of mass scanning work by using information from Shodan.

After removing duplication, the compromised host would then send “docker run” command to each collected ip. The zoolu2/auto malicious container will then be deployed on new hosts with Docker remote API unauthorized Access vulnerability.

Besides, the botnet downloads and executes script from http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion/bnet1.txtfor persistence.

Scale of Attack and Security Recommendations

On https://hub.docker.com , the aforementioned malicious docker image has been downloaded more than 10k times.

The author of Xulu botnet seems to be actively developing variants of the botnet:

This event is also observed by a Docker user, Caprico1, and discussed on Docker’s GitHub.

https://github.com/docker/hub-feedback/issues/1809

By the time this article is published, the zoolu2 account has been disabled by Docker’s engineers.

To avoid becoming a victim of malicious intrusion and mining, we have following recommendations for you:

• Services for internal use (e.g. Docker) should not be exposed to the Internet. Use adequate ACL or other authentication technique to only allow access from trusted users.
• Since hidden services have been used by many botnets, users who do not often use them may use some tricks to drop packets to and from it, such as on Linux you can run: echo -e "\n0.0.0.0 .onion" >> /etc/hosts This command sinkholes (redirects) any traffic to and from hidden services.
• Cloud firewalls are useful in preventing attacks. We recommend Alibaba Cloud Firewall because it is able to detect, block and analyze threats. You will be protected from intrusion and malicious mining with AI technologies on your side.
• Alibaba Cloud Managed Security Service enables users to call on expertise of Alibaba’s security specialists, who will help you clean up malware, improve configurations, and enhance overall security. If you are concerned about your organizations’ security, you should give it a try.

IOC

Control Server:

http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion

URL:

http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion/bnet1.txt
http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion/shodan.txt

Pool:

us-east.cryptonight-hub.miningpoolhub.com:20580

Md5:

c29dfe75862b6aed91bec4ffc7b20b9c

Reference

https://twitter.com/Suprn8/status/1129877707897081856

https://www.alibabacloud.com/blog/dockerkiller-threat-analysis-first-instance-of-batch-attack-and-exploitation-of-docker-services_593947

What is a Container? | Docker

Reference:https://www.alibabacloud.com/blog/xulu-cryptojacking-leveraging-shodan-tor-and-malicious-docker-container_594869?spm=a2c41.12952014.0.0