New Malware Campaign Compromises Docker Infrastructure to Mine Dero
A new Linux malware campaign is exploiting unsecured Docker infrastructure globally, converting exposed servers into a decentralized network for cryptojacking the privacy coin Dero.
- The attack targets publicly exposed Docker APIs via port 2375.
- Once accessed, the malware creates malicious containers to mine Dero and search for additional vulnerable hosts.
- Two Golang-based implants are used: “nginx,” disguised as legitimate web server software, and “cloud,” which performs the mining.
- The nginx module scans for more vulnerable Docker nodes, deploying infected containers autonomously.
- The campaign operates without external control, creating a self-propagating network of compromised nodes.
- Configuration data is encrypted to evade detection, hiding under paths typical for legitimate software.
- Kaspersky linked this campaign to previous cryptojacking efforts targeting Kubernetes clusters in 2023 and 2024.
- As of early May, over 520 Docker APIs were found publicly exposed, representing numerous potential targets.