Recherche : [Cryptocurrencies]

Dero miner spreads inside containerized Linux environments | Securelist https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/

01/06/2025 17:15:18

Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.

During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:

The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:

nginx: Trojan.Linux.Agent.gen;
Dero crypto miner: RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.

The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.

After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.

A miner and the ClipBanker Trojan being distributed via SourceForge | Securelist https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/?ref=metacurity.com

09/04/2025 20:20:08

Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques.

SparkCat crypto stealer in Google Play and App Store https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/

05/02/2025 09:18:19

Kaspersky experts discover iOS and Android apps infected with the SparkCat crypto stealer in Google Play and the App Store. It steals crypto wallet data using an OCR model.

A backdoor with a cryptowallet stealer inside cracked macOS software https://securelist.com/new-macos-backdoor-crypto-stealer/111778/

22/01/2024 10:41:52

We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware.

Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/

05/04/2023 08:59:27

Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.

Liens par page

Filtres