First of its kind ‘Graboid’ cryptojacking worm found in Docker images

17 Oct 2019

Image: © paul/

Research from Palo Alto Networks has profiled a unique kind of cryptojacking worm.

Cryptojacking, the process whereby hackers hijack the processing power of a targeted system and use it to mine cryptocurrencies, has been disseminated in many forms including via worms.

Yet the latest discovery of cryptojacking made by Palo Alto Networks, named ‘Graboid’ in homage to the 1990 Kevin Bacon film Tremors, has caught researchers’ attention due to the unique way it has presented: embedded in a Docker image.

A Docker image is a multi-layered file used to execute code in a Docker container. The threat actor in this instance gained an initial foothold through some unsecured Docker daemons and subsequently compromised more than 2,000 unsecured hosts. Once downloaded, the Graboid malware is deployed to mine for Monero, a cryptocurrency associated with a bitcoin sextortion malware that also mined for it.

‘Very random’

“This procedure leads to a very random mining behaviour,” explained the research team.

“If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts.”

The researchers could not discern the purpose of the randomisation, theorising that it could be a relatively ineffective evasion technique, a self-sustaining system or even just “bad design”.

Working with Palo Alto Network’s Unit 42 research centre, Docker has since removed the malicious images, though not before they were downloaded tens of thousands of times. The majority of the infected Docker hosts were based in the US and China.

This latest research has brought the issue of container security to the fore yet again. Research from Lacework last year found more than 22,000 publicly available containers on the internet suffering from badly configured resources, lack of credentials and the use of non-secure protocols, all of which leave them vulnerable to hackers who could access the infrastructure and use it to hack into company applications.

Eva Short was a journalist at Silicon Republic