DERO cryptojacking adopts new techniques to evade detection

Wiz researchers describe a new cryptojacking variant targeting misconfigured Kubernetes clusters, using anonymous external access to deploy Docker Hub images that run a UPX-packed DERO miner named “pause” with hard-coded wallet and pool data to evade detection. The campaign evolves by updating Docker Hub images, employing masquerade deployment names across namespaces, and registering domains to blend in with legitimate traffic, with actionable IoCs and defense recommendations.
#DERO #pause #DockerHub #Kubernetes #windowsupdatesupport.link #dockerproxys #pausehubs #nohuppo

Keypoints

New cryptojacking variant targets misconfigured Kubernetes clusters with external anonymous access, enabling initial access vectors.
Malicious Docker images on Docker Hub carry a UPX-packed DERO miner named “pause” with wallet and pool data embedded in the binary for defense evasion.
Attackers masquerade as legitimate workloads (e.g., k8s-device-plugin, kubernetes-external-secret) and distribute across multiple namespaces to blend with normal control-plane activity.
The miner is deployed via Kubernetes deployments/daemonsets (e.g., k8s-device-plugin in kube-public; pytorch-container in kube-system) and uses image names that mimic legitimate assets.
Hard-coded wallets/pools and UPX packing improve stealth, while domain registration (windowsupdatesupport.*) aims to avoid DNS-based monitoring and detection.
IoCs include Kubernetes deployments, container images, wallet addresses, domains/IPs, and file hashes, plus indicators of Windows-era tooling and dropper scripts.

MITRE Techniques

[T1190] Exploit Public-Facing Application – “externally accessible Kubernetes API server with anonymous authentication enabled”. “This is what happened in this incident.”
[T1610] Deploy Container – “five different deployments scattered across namespaces… k8s-device-plugin” and other images such as “nohuppo:pause” and “dockerproxies/pause”
[T1036.005] Masquerading: Match Legitimate Name or Location – “masquerading techniques… benign-looking names” like k8s-device-plugin and kubernetes-external-secret
[T1027.002] Obfuscated/Compressed Files: Software Packing – “UPX-packed DERO miner”
[T1140] Deobfuscate/Decode Files or Information – “hardcoding an encrypted wallet address and mining pool information directly within the binary”
[T1564.011] Hide Artifacts: Ignore Process Interrupts – “tampers with bash history and other bash related logs to hide evidence”
[T1070] Indicator Removal – “tampers with bash history and other logs to hide evidence of its execution”
[T1583.001] Acquire Infrastructure: Domains – “registered these domains… to evade detection” (windowsupdatesupport.*)
[T1496] Resource Hijacking – “DERO miner” used to steal compute resources
[T1105] Ingress Tool Transfer – “wget… GMiner …; nohup” used to download mining tools

Indicators of Compromise

[Domain] – windowsupdatesupport.link family and subdomains (e.g., d.windowsupdatesupport.link, h.windowsupdatesupport.link, name.windowsupdatesupport.link, update.windowsupdatesupport.link)
[IP] – 209.141.32.182
[Wallet] – NYryXAGi7niFPk5FaxmqcY8hpTHmnFA9eT.TT, dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y, dero1qyhauw0rvt5sr0nvsg97n9wq0hg4s0hrj7xs09yw97tctfdqevxgzqgf40nxc
[Container Image] – nohuppo:pause, dockerproxies/pause, k8s-device-plugin, pytorch-container
[File Hash] – 68656198c24d6b32c4916a5686906c62baf7d6baae3b1d7dc615e43cb6d3fca8, e4aa649015b19a3c3350b0d897e23377d0487f9ea265fe94e7161fed09f283cf, 49e8422e5f273a564c15755711ab2a35a1deb2105bbe1a0a8ce670c9b38721e5
[File Path] – /var/tmp/pause, /usr/bin/pause
[Kubernetes Deployment/Namespace] – k8s-device-plugin (kube-public), pytorch-container (kube-system), kubernetes-external-secret (namespace not specified)
[Domain/Network] – community-pools.mysrv.cloud, d.windowsupdatesupport.link, update.windowsupdatesupport.link

DERO cryptojacking adopts new techniques to evade detection | Wiz Blog