{
	"id": "7315f3fb-cad6-4818-a433-cb36e147b1c4",
	"created_at": "2026-04-06T00:16:36.854135Z",
	"updated_at": "2026-04-10T13:13:07.246739Z",
	"deleted_at": null,
	"sha1_hash": "f99377806a34e690aea70568dd9dd4334c2f5c07",
	"title": "Infected Containers Target Docker via Exposed APIs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1178487,
	"plain_text": "Infected Containers Target Docker via Exposed APIs\r\nBy By: Alfredo Oliveira May 30, 2019 Read time: 4 min (1009 words)\r\nPublished: 2019-05-30 · Archived: 2026-04-05 18:51:50 UTC\r\nAs part of our efforts to monitor malicious activity aimed at containers, we set up a machine that simulated a Docker host\r\nwith an exposed API — one of the most common targets of container-based threatsnews article — to act as a honeypot. Our\r\ngoal was to monitor the honeypot and detect if someone finds and uses it to deploy unwanted containers, after which we\r\nwould ideally be able to trace them back to their source. We recently checked on the status of our honeypot and discovered\r\nthat a single image or snapshot of a container was already deployed in the environment.\r\nBy analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public\r\n(and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository,\r\nwe found that it contained nine images composed of custom-made shells, Python scripts, configuration files, as well as\r\nShodan and cryptocurrency-mining software binaries. Note that Docker caught the repository independently and has taken it\r\noffline as of writing.\r\nAll the images in the zoolu2 repository contained the binary of a Monero (XMR) cryptocurrency miner. This piqued our\r\ninterest since we’ve already had experience with containers being deployed as miners. In addition, some of the images\r\ncontained a Shodan script that lists Docker hosts with exposed APIs, which we surmised was being used to identify suitable\r\ntargets for further container distribution.\r\nhttps://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html\r\nPage 1 of 6\n\nFigure 1. The zoolu2 Docker Hub repository\r\nDeployment and routine\r\nhttps://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html\r\nPage 2 of 6\n\nFigure 2. Infection chain\r\nWe decided to analyze the nine images to learn more about them. We discovered that the images are first deployed using a\r\nscript (ubu.sh, detected as PUA.Linux.XMRMiner.AA.component) that checks hosts with publicly exposed APIs. It then\r\nuses Docker commands (POST /containers/create) to remotely create the malicious container.\r\nThis script also starts an SSH daemon inside the container for remote communication. The script then calls a Monero coin-mining binary, darwin (detected as PUA.Linux.XMRMiner.AA), to run in the background. As with all cryptocurrency\r\nminers, it uses the resources of the host system to mine cryptocurrency (Monero in this instance) without the owner’s\r\nknowledge. An interesting characteristic of the attack is that it uses a cryptocurrency miner that it is being built from scratch\r\ninstead of an existing one.\r\nFigure 3. Docker image entry calling the coin miner binary (darwin) and then the script to find other misconfigured Docker\r\nhosts (rip)\r\nFigure 4. Cryptocurrency miner binary details\r\nThe binary also contains a shell script that uses the Shodan API to perform a search for other Docker hosts with exposed\r\nAPIs, using “port:2375+product:Docker” as its main query. We suspected this as a means of compiling new hosts to infect.\r\nhttps://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html\r\nPage 3 of 6\n\nFigure 5. Code showing the function used to log into Shodan and search for Docker hosts with open default ports\r\nFigure 6. Usernames and passwords to be used for brute-force attacks on the open ports found via Shodan search\r\nOur suspicions regarding what the IP list is used for was correct: Once an exposed Docker host is located, it is added to a list\r\n(iplist.txt file), which is further sorted for unique IPs. It also checks if the target host already has an existing cryptocurrency-mining container running, which is deleted if found.\r\nIt then reaches out to its C\u0026C servers to deploy additional containers to other exposed hosts based on the IP list. It then\r\nloops to the beginning of the routine stated earlier with a new host.\r\nFigure 7. Function to remotely deploy the image as a container\r\nhttps://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html\r\nPage 4 of 6\n\nNote: While some parameters include specific regions and specific services, the search for Docker API ports and product\r\ntags is a constant.\r\nFigures 8, 9, and 10. C\u0026C with backup of the scripts and previous search terms.\r\nThe metadata of the zoolu2 images show that the components were added in May 2019. However, this might not be accurate\r\nsince the images are constantly being updated, which might indicate that the threat actors behind the images are adding more\r\nroutines or capabilities.\r\nFigure 11. Deep Discovery™ Smart Check alert for the SSH key left inside the container for future connections\r\nRecommendations and solutions\r\nThe increased adoption of containers has also led to an increase in threats that target the technology. These threats are often\r\nsuccessful, not only due to the exploitation of flaws and vulnerabilities in the container software but also due to\r\nmisconfigurationnews article, which remains a constant challenge for organizations. In this case, the hosts that have exposed\r\nhttps://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html\r\nPage 5 of 6\n\nAPIs are not just victims of cryptocurrency-mining operations — they also contribute further to the distribution of the\r\ninfected containers.\r\nUnwanted cryptocurrency-mining activity can lead to additional resource load for the targets. In this example, if the Docker\r\nhost is running on internal infrastructure, other hosts can also suffer. On the other hand, if the Docker host is using a cloud\r\nservice provider, the organization can accrue additional charges due to the higher resource usage.\r\nIn order to prevent successful attacks that target containers and hosts from affecting development environments, we\r\nrecommend the following best practices:\r\nContainers and APIs should always be properly configured in order to ensure that exploitative attacks are minimized.\r\nThis includes ensuring that they are accessible only by the internal network or by trusted sources. In addition, Docker\r\nhas specific guidelines on how their users can strengthen their security.\r\nDocker always recommends using official or certified images to ensure only trusted content is run in your\r\nenvironment.\r\nRunning containers should not be run with root privileges — instead, these should be used only as application users.\r\nBusinesses can also look into using comprehensive security software that can help them build securely, ship fast, and run\r\nanywhere. Trend Micro solutions add protection for containersproducts via the Deep Securityproducts and Deep Security\r\nSmart Checkproducts, which scans container images for malware and vulnerabilities at any interval in the development\r\npipeline to prevent threats before they are deployed.\r\nIndicators of Compromise (IoCs)\r\nDetails Hashes Detection Name\r\ndarwin\r\n(cryptocurrency-mining binary)fb4e9e2e919d2e4cc6d1caa9745df16d65ce87c0ffb9874edf33bc1db1259607 PUA.Linux.XMRMiner.AA\r\nubu.sh (shell\r\nscript)\r\n99ec380972a0808ff66c3e9638ea578a5b938cc821df38d2882a3440037994b7 PUA.Linux.XMRMiner.AA.comp\r\nSource: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html\r\nhttps://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html"
	],
	"report_names": [
		"infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f99377806a34e690aea70568dd9dd4334c2f5c07.pdf",
		"text": "https://archive.orkl.eu/f99377806a34e690aea70568dd9dd4334c2f5c07.txt",
		"img": "https://archive.orkl.eu/f99377806a34e690aea70568dd9dd4334c2f5c07.jpg"
	}
}