Container images found infected with cryptomining malware in Docker Hub

Images on popular platform infected with malware

Cloud images freely available on the web are secretly spreading cryptocurrency-mining malware.


No less than 30 images publicly available on Docker Hub that have over 20 million collective downloads have been recently discovered to spread Monero-mining malware scripts.

At the moment of writing, the amount of money mined in the Monero cryptocurrency thanks to the malware-spreading images amounts to approximately $200,000. The malicious activity was reported by Aviv Sasson, a researcher at Palo Alto Networks.

The reason why Monero is the preferred cryptocurrency that the hackers are attempting to mine through the newly-discovered malware is that its hidden transaction paths provide very high levels of anonymity. Additionally, Moner-mining is more cost-efficient than Bitcoin and the hardware-requirements to effectively mine it are significantly lower, making it possible to run Monero-mining scripts on less powerful machines – ones that aren’t specifically put together to generate cryptocurrency.

According to Sasson, the hackers primarily use the well-worn XMRig miner to generate Monero on the attacked machines.

Sasson explains that this crypto-miner is highly-efficient and easy to use making it perfect for the job. Additionally, it is open source, so the hackers are able to freely add modifications to its code. One frequently made modification that hackers tend to introduce to open-source miner software is to remove any scripts that force the miner to send a percentage of the generated cryptocurrency to its developer.

Other than Monero, the hackers also mined two other cryptocurrencies: Arionum and Grin, though in much smaller percentages of the mining pools (3.2% and 6.5% respectively).

Cryptojacking malware tailored to operate on different systems

The images responsible for the distribution of the malware-infested images were present in the Docker Hub container registry. Cloud devs were using them to build cloud apps. Since this is a public code repository similar to Ruby or npm, uploading images to a Docker Hub can be done by anyone, including cryptocurrency-mining hackers.

Sasson discovered that the hackers responsible for uploading the malware images have added tags to each image that refer to other versions of it. According to the researcher, the likely reason for this is to match the appropriate malware version with the specific version of the image used in the app. Apparently, some of the infected images have specific versions for different types of Operating Systems or CPU architectures in order to maximize the number of computers on which the crypto-mining malware could effectively run. 

Separate cryptojacking instances could be linked

Through further research, Sasson has discovered that a number of Docker Hub accounts can be traced back to the same virtual wallets, meaning that they are part of the same campaign. This means that there’s a high possibility that those 30 images are only a small portion of a cryptomining campaign of a much larger scale.

According to the researcher, the tool he used when looking for infected images was a scanner capable of spotting only less advanced crypto-mining malware. Therefore, it is likely that other infected Docker Hub images may contain malware that’s more difficult to detect and has therefore not yet been discovered.

This is not the first Docker Hub cryptojacking attempt

This is not the first instance of malware and cryptojacking campaigns targeted at Docker Hub. Similar attempts have been taking place ever since 2018 (if not earlier) and one of the main reasons for that is the big amount of hardware resources that could come from such attacks.

Through the cloud, the crypto-mining malware could spread to many CPUs, virtual machines, and containers, greatly increasing the amount of computing power that could be used for mining. Additionally, such operations could go unnoticed for large amounts of time, allowing the hackers to secretly mine crypto for longer.

A previous Docker Hub cryptojacking campaign has used the Doki Linux backdoor that generates command-and-control domain names through the use of a blockchain wallet. Another Docker Hub campaign targeted misconfigured ports to spread cryptojacking worms. In last year’s December, researchers also uncovered a whole Monero-mining botnet currently known as Xanthe that has been able to exploit misconfigured API installations and thus target Linux machines.


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment