According to a report by cybersecurity company Kaspersky, newly discovered Linux malware activities are compromising insecure Docker infrastructure, turning exposed servers into part of a decentralized crypto-hijacking network for mining the privacy coin Dero.
The attack first exploits Docker API exposed on port 2375. Once access is gained, the malware generates malicious containers. It infects running containers, steals system resources to mine Dero malware, and scans other targets without a central command server. From a software perspective, Docker is a set of application or platform tools and products that use operating system-level virtualization to deliver software in small packages called containers. The threat actors behind the operation deployed two Golang-based implants: one named "nginx" (deliberately disguised as legitimate web server software), and another named "cloud", which is the actual mining software for Dero. Once the host is infected, the nginx module continuously scans the internet for more vulnerable Docker nodes, identifying targets using tools like Masscan and deploying new infected containers. To avoid detection, it encrypts configuration data, including wallet addresses and Dero node endpoints, and hides itself in paths typically used by legitimate system software. Kaspersky discovered that the wallet and node infrastructure used in early crypto-hijacking activities targeting Kubernetes clusters in 2023 and 2024 were the same, indicating this is an evolution of a known operation rather than an entirely new threat.
