Full Report
On 2019-10-16, a campaign was reported, involving an unknown actor, gaining initial access via Software misconfig, targeting Docker to achieve Resource hijacking. The following tools were observed: Graboid.
Analysis Summary
# Tool/Technique: Graboid
## Overview
Graboid is a piece of malware observed in a campaign targeting Docker deployments, resulting in Resource Hijacking, primarily identified as cryptojacking activity.
## Technical Details
- Type: Malware Family (Specifically, a cryptojacking worm)
- Platform: Docker/Linux environments
- Capabilities: Resource hijacking, persistence, propagation via Docker Hub images.
- First Seen: October 2019 (as reported)
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Scheduled Task/Job
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Implied for initial C2/payload delivery)
- TA0008 - Lateral Movement
- T1021.001 - Remote Services: SSH (Implied potentially, or leveraging container escapes)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Common for malware)
- TA0002 - Execution
- T1059.006 - Command and Scripting Interpreter: Python
- TA0010 - Impact
- T1496 - Resource Hijacking (Primary observed impact)
## Functionality
### Core Capabilities
- **Resource Hijacking (Cryptojacking):** Its primary goal is to utilize compromised system resources (CPU/compute power) to mine cryptocurrency.
- **Initial Access via Misconfiguration:** Leveraged exposed or misconfigured Docker instances for initial compromise.
### Advanced Features
- **Worm-like Propagation:** The malware was designed to spread itself by infecting unsuspecting Docker images hosted on Docker Hub, turning public repositories into vectors for infecting other users pulling those images.
## Indicators of Compromise
- File Hashes: [Not provided in the summary context]
- File Names: [Not provided in the summary context]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [Specific C2 infrastructure not provided, but implies outbound communication for mining pools/updates]
- Behavioral Indicators: Examination of Docker daemon activity, unexplained CPU spikes in containers, or calls related to cryptocurrency mining software installation/execution.
## Associated Threat Actors
- Unknown actor (as reported in the context)
## Detection Methods
- **Signature-based detection:** Signatures targeting the binary or known scripts associated with Graboid's payload delivery.
- **Behavioral detection:** Monitoring containers/hosts for attempts to install crypto-mining software (e.g., XMRig) or for unusual sustained high CPU utilization within container environments.
- **YARA rules:** Rules targeting unique strings or compiled artifacts specific to the Graboid malware.
## Mitigation Strategies
- **Prevention Measures:** Implement Docker security best practices (e.g., rootless containers, limiting container capabilities).
- **Hardening Recommendations:**
* Regularly scan all base images used in the environment.
* Ensure Docker registry authentication is strictly enforced.
* Implement strong Network Segmentation between containers and the host system.
* Utilize Docker Content Trust to verify image sources.
## Related Tools/Techniques
- Other container-focused cryptojacking malware (e.g., Kinsing, Doki).
- Techniques involving leveraging software misconfiguration for initial compromise.