Unit 42 researcher found two-dozen containers on Docker Hub with cryptomining malware. The containers have been downloaded over 20 million times over the past two years.
Docker Hub is a popular and the largest library of container images where companies can share images with employees, customers, or the developer community to distribute open-source projects.
Aviv Sasson, a researcher at the Palo Alto Networks’ Unit 42 threat intelligence team, discovered on Docker Hub 30 malicious images that contain cryptojacking software.
The infected images have been uploaded from 10 different accounts. Some of them have misleading names like “ggcloud,” “proxy,” or “docker.”
The owner of the “xmrigdocker” account has taken their images off from the website, while all other images are still available on Docker Hub at the time of writing.
Monero was the most popular cryptocurrency with the bad actors who uploaded the images, with XMRig being the favorite tool. Some bad actors tried to mine for Grin (GRIN) and ARO (Aronium) cryptocurrency.
Sasson estimates that this cryptojacking activity must have brought the attackers about $200,000 worth of cryptocurrency.
Looking at the image tags, Sasson discovered that bad actors targeted various processor architectures or operating systems.
“It seems like some attackers are versatile and add these tags in order to fit a broad range of potential victims that includes a number of operating systems (OS) and CPU architectures,” the researcher said.
He also noticed that there are tags with various types of cryptominers. This would allow the attacker to select the one that best suits the victim’s hardware, the researcher explains.
By looking at the wallet address and the mining pool credentials, the researcher could link some of the Docker Hub accounts to previous cryptojacking campaigns.
The list of infected Docker images can be found in Unit 42’s blog post.