Containers / Security

Untrusted Docker Hub Images Found with Monero Cryptojacking Malware

25 Jun 2020 6:00am, by

A security team from Palo Alto Networks’ Unit 42 has unearthed six containers that were housed on Docker Hub that, once instantiated, were activated by unknown parties to mine the Monero cryptocurrency. Thus far, the creators of these images have generated at least $36,000 worth of Monero currency using the computers of unsuspecting victims, the researchers have determined.

The six images, created by the account “azurenql”, have been collectively pulled more than 2 million times.

Hiding secret workloads in container images is becoming an increasingly popular attack vector. “It’s very low overhead from an attacker perspective, said Jen Miller-Osborn, Unit 42’s deputy director of threat intelligence. “All they have to do is manage to put these repositories online and make them look legitimate enough that people will download them. And that’s it.”

For Unit 42, a tip-off to the illegitimate images was found in the account name itself, which looks like an official account (in this case apparently from Microsoft Azure), but was in fact planted anonymously. People assumed these were legitimate images, but they held hidden cryptomining code.

The images are built on a base of Ubuntu 16.04.6 LTS, and also have Tor and ProxyChains-NG installed to route anonymous traffic. The xmrig mining software was also planted on the image. The mined blocks are sent to the central Monero Mining Pool, minexmr, using the wallet ID format. A Python script,, initiates the mining process.

Though the mining software used the CPUs of the host to generate the currency blocks, such operations only have minimal overhead and may not be noticed by administrators.

Microsoft reported earlier this month of a similar attack it had found, this one involving Kubeflow, a machine-learning toolkit for Kubernetes, that pollinated large swathes of container clusters. That attack also generated Monero currency.

Many enterprise security platforms, such as Palo Alto’s own Prisma Cloud, can spot identify cryptojacking and block it, if it is set up to alert administrators about such activity. Administrators can also prevent such activity chiefly by ensuring images are downloaded only from trusted sources. “People really need to be careful when they’re downloading these things that they’re downloading the real ones because there’s a wide range of attackers are taking advantage of people not paying enough attention to that,” Miller-Osborn said.

Admins can also keep an eye out for activity generated by programs such as Tor, if they have no legitimate use on the network.

Palo Alto Networks is a sponsor of The New Stack.

Feature image by Nardus70 from Pixabay.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: [email protected].

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Unit, Docker.