Docker is the latest in popular technology where developers can quickly configure and deploy containers in an environment without affecting other components of an application. It’s a way to turn monolithic code bases into compartments that work individually on the network. Docker is one container provider that works in the cloud. Docker makes it easier for developers to download and install its engine. It also has a Docker Hub where developers can download pre-configured containers that don’t need too many configurations.

Pre-Configured Software Containers and Malware

With containers, you have a piece of your application that can be created or destroyed as you need it. Containers have been making the rounds in popularity from companies that have large code bases and want to make their application code more flexible and scalable without the need to compile and deploy the entire code base with every version.

With Docker containers, the business can cut up their code base and focus on just sections of the code. Developers can easily create, destroy, and deploy as they build the application without affecting other sections of the production environment. The only limit compared with traditional virtual machines (VMs) is that the Docker container and its content must run on the underlying operating system installed on the server.

Instead of building their own containers, developers were able to go to the Docker Hub site and choose from dozens of other Docker containers pre-configured with applications and settings that the developers could then plug into their existing environment. The setups are called images, not like a standard hard drive image that you install on a server.

Several months ago, an attacker with the account “docker123321” uploaded three publicly shareable images to the Docker Hub. These malicious images contained malware for cryptocurrency mining. They also contained a backdoor where an attacker could download additional malware to the local machine target. What makes this cyber attack unique is the vendor response. Several developers complained about the malware-infected image and Docker did nothing to remove it until recently. This means that the malware-infested image was available for several months for download while Docker administrators did nothing to stop the malware’s distribution.

Cryptomining and Malware

Cryptomining is the new malware for attackers. It provides a much more anonymous way to steal funds from victims. And it’s much easier to gain monetary rewards for attacks. Instead of stealing credit card data and going through the motions to find the cards that have room and the ability for the attacker to charge on them, a cryptomining application built into a Docker images gives an attacker a way to automatically mine bitcoin (or any other cryptocurrency of their choice) and send it to an anonymous wallet.

Although bitcoin is not completely anonymous, the wallets that are publicly visible on the blockchain do not have a real name attached to them. Unless the attacker makes their wallet known, it is anonymous in the sense that the general public cannot see the name or owner of a bitcoin wallet.

Because bitcoin mining has become a more popular way to steal money from people, it’s a primary issue administrators. Antivirus doesn’t always catch these miners. Plus, the only evidence of a hidden miner on a computer is that it eats resources like CPU and RAM. Mining requires computers to perform complex calculations, and from the results, a bitcoin is mined. Miners pool resources and increase their chances of winning cryptocurrency with more resources available. But it requires money and a setup.