A new automated malware campaign exploits insecure Docker APIs to propagate malicious containers mining Dero cryptocurrency without a command-and-control server. The malware consists of a propagation module disguised as “nginx” and a Dero crypto miner named “cloud,” enabling rapid infection and lateral movement across containerized infrastructures. #DeroMiner #DockerAPI #nginxMalware
Keypoints
- The campaign exploits exposed Docker APIs on port 2375 to gain unauthorized access to container environments and deploy malicious containers.
- The malware propagates through two Golang-based implants: “nginx” for propagation and persistence, and “cloud” for Dero cryptocurrency mining.
- “nginx” malware disguises itself as the legitimate nginx server to avoid detection and uses continuous scanning with masscan to find new vulnerable Docker APIs.
- The malware creates new malicious containers and compromises existing ubuntu:18.04-based containers that lack a specific infection marker file (version.dat).
- The “cloud” miner is hardcoded with encrypted wallet and Dero node addresses, which the malware decrypts and uses for mining operations.
- No command-and-control server is needed; instead, the infection spreads autonomously by scanning, compromising, and creating containers.
- Analysis shows over 500 Docker APIs were exposed worldwide in early 2025, indicating a widespread risk and the need for container security.
MITRE Techniques
- [T1046] Network Service Scanning – The malware uses masscan to scan internet-wide IPv4 /16 subnets for Docker APIs exposed on port 2375 (“masscan -p 2375 -oL – –max-rate 360”).
- [T1566] Resource Hijacking – The “cloud” implant mines Dero cryptocurrency using victim’s container resources without requiring operator interaction.
- [T1021.001] Remote Services: Remote Desktop Protocol – The malware remotely executes Docker commands to list running containers and deploy new malicious ones (“docker -H PS”, “docker -H run”).
- [T1543.003] Create or Modify System Process: Windows Service – The malware achieves persistence by adding the nginx executable to .bash_aliases to automatically execute on shell login.
- [T1574.002] Hijack Execution Flow: Dynamic Link Library Injection – The malware masquerades as the legitimate nginx binary to evade detection and blend in with normal system processes.
Indicators of Compromise
- [File Hash] hashes of malware samples – 094085675570A18A9225399438471CC9 (nginx), 14E7FB298049A57222254EF0F47464A7 (cloud)
- [File Path] locations of malware binaries and logs – /usr/bin/nginx, /usr/bin/cloud, /var/log/nginx.log, /usr/bin/version.dat
- [Domain] Dero node command server domains used by the miner – d.windowsupdatesupport[.]link, h.wiNdowsupdatesupport[.]link
- [Cryptocurrency Wallet] hardcoded Dero mining wallet address – dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y
Read more: https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/