Malware overview – Graboid

Introduction

In October 2019, security researchers from Unit 42 at Palo Alto Networks discovered a new malware called Graboid. It is a cryptojacking malware that spreads by using containers in the docker engine. This innovative propagation technique makes Graboid difficult to detect because most endpoint protection software does not analyse data in docker engine containers. Although the current version of Graboid is not very sophisticated, it has a potential to evolve into a much more powerful cryptojacking malware.

This article explains how Graboid infects other computers, the cryptojacking activities conducted by Graboid, and the measures organizations can take to protect against it.

Infection

Graboid spreads through unsecured docker daemons. More specifically, it runs a docker image on a compromised host. The image includes a docker client tool that is able to communicate with other docker hosts. Graboid downloads four scripts, namely, live.sh, worm.sh, cleanxmr.sh, and xmr.sh. It repeatedly executes each of them in the same order. The consequences of executing the scripts will be examined in more detail below.

Live.sh

After the execution of live.sh, the compromised host submits information about the number of available central processing units (CPUs) to the command and control servers associated with Graboid.

Worm.sh

The execution of the file worm.sh leads to the download of a file called “IP”. It contains a list of more than 2000 IP addresses of hosts with unsecured docker API endpoints. Once the file is downloaded, Graboid randomly picks one of the IP addresses in the list and uses the docker client tool to spread itself to the unsecured host.

Cleanxmr.sh

cleanxmr.sh has a rather unexpected function. It randomly selects one of the unsecured hosts and stops the cryptojacking activities running by Graboid on that host.

xmr.sh

xmr.sh (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Dimov. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/EW8QsFtmi8w/