Wormable Malware Turns Misconfigured Docker APIs into Dero Miners

A recent malware campaign has begun exploiting unsecured Docker API endpoints, converting affected containers into a botnet for Dero cryptocurrency mining. The self-spreading malware scans the internet for vulnerable Docker instances, enabling it to quickly grow its number of infected hosts.

Security researchers from Kaspersky discovered that an unidentified attacker gains access through public Docker APIs and deploys malicious software to create a network of mining bots. According to the report, the campaign uses worm-like behavior, allowing compromised machines to scan for additional targets and spread the malware further.

Two main components drive the attack. The first, called “nginx,” scans for exposed Docker APIs and deploys a miner payload named “cloud.” Both programs are written in Golang. The “nginx” tool imitates the well-known nginx web server to avoid detection. As security researcher Amged Wageh explained, “This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks.”

The spreading malware generates random IP addresses, checks if Docker’s remote control service (dockerd) is accessible, and, if so, deploys malicious containers with random names. It installs necessary programs like “masscan” for network scanning and “docker.io” for Docker operations, allowing it to keep searching for more targets. The “nginx” binary is added to the shell configuration for persistence, ensuring it starts every time a shell session opens. “Then nginx prepares the new container to install dependencies later by updating the packages via ‘docker -H exec apt-get -yq update,'” Wageh said.

Kaspersky linked the infrastructure and tactics to earlier Dero mining operations found by CrowdStrike and Wiz in 2023 and 2024, respectively. The campaign uses the open-source DeroHE CLI miner to carry out its mining operations. The mining activity is not controlled by a central server, making it harder to track or disrupt. Any organization running a containerized environment with an insecurely exposed Docker API is at risk.

In a related development, the AhnLab Security Intelligence Center (ASEC) reported another campaign that delivers a Monero mining tool and a new backdoor using the PyBitmessage protocol. This protocol enables peer-to-peer encrypted communication and hides command messages within seemingly ordinary network traffic. The backdoor allows attackers to send instructions that are executed as PowerShell scripts.

ASEC warned that the exact distribution method is uncertain but may involve disguised cracked software. They advise users to avoid downloading applications from untrusted sources and use official channels only. The team stated, “Threat actors exploited the PyBitmessage module, which implements this protocol in the Python environment, to exchange encrypted packets in a format similar to regular web traffic. In particular, C2 commands and control messages are hidden within messages from real users in the Bitmessage network.”

These incidents highlight ongoing threats to containerized and cloud-based environments, emphasizing the need to secure Docker APIs and avoid risky downloads.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Crypto Rally Stalls, BTC Vegas Kicks Off, Circle Files for IPO
• Cantor Fitzgerald Launches $2B Bitcoin Lending Business
• SKKU AIM Lab Adopts Theta EdgeCloud for Advanced AI Research
• Bitcoin’s Value Debate: Store of Value vs. Medium of Exchange
• Standard Chartered Warns Solana May Struggle After Memecoin Peak