Cybersecurity researchers have issued a warning regarding an ongoing cryptojacking campaign that targets misconfigured Kubernetes clusters to mine the Dero cryptocurrency.
Wiz, a cloud security firm, revealed that this campaign is an updated version of a financially-motivated operation that was first uncovered by CrowdStrike in March 2023.
The researchers at Wiz, Avigayil Mechtinger, Shay Berkovich, and Gili Tikochinski, stated that in this particular incident, the threat actor exploited anonymous access to an Internet-facing cluster to launch malicious container images from Docker Hub, some of which have garnered over 10,000 pulls. These Docker images contain a UPX-packed Dero miner named ‘pause.’
The initial access is gained by targeting externally accessible Kubernetes API servers with anonymous authentication to deliver the miner payloads.
Unlike the 2023 version, which deployed a Kubernetes DaemonSet called “proxy-api,” the current iteration utilizes seemingly innocuous DaemonSets named “k8s-device-plugin” and “pytorch-container” to ultimately execute the miner on all nodes of the cluster.
Additionally, the choice of naming the container “pause” is an attempt to pass it off as the actual “pause” container used to bootstrap a pod and enforce network isolation in Kubernetes.
The cryptocurrency miner is an open-source binary written in Go that has been modified to embed the wallet address and custom Dero mining pool URLs within the code. It is also obfuscated using the open-source UPX packer to hinder analysis.
By embedding the mining configuration within the code, it becomes possible to run the miner without any command-line arguments typically monitored by security mechanisms.
Wiz also identified additional tools developed by the threat actor, including a Windows sample of a UPX-packed Dero miner and a dropper shell script designed to terminate competing miner processes on an infected host and deploy GMiner from GitHub.
The researchers noted that the attacker registered domains with innocent-sounding names to avoid suspicion and blend in with legitimate web traffic, while concealing communication with well-known mining pools.
“These tactics demonstrate the attacker’s ongoing efforts to adapt and stay ahead of defenders,” the researchers concluded.
