{
  "name": "Dero miner spreads inside containerized Linux environments",
  "slug": "dero-miner-spreads-inside-containerized-linux-environments",
  "description": "A new Dero mining campaign is infecting containerized Linux environments through exposed Docker APIs. The attack uses two Golang malware components: 'nginx' for propagation and 'cloud' for mining. The 'nginx' malware scans for vulnerable Docker hosts, creates malicious containers, and compromises existing ones. It maintains persistence and spreads without a command-and-control server. The 'cloud' component is a modified DeroHE CLI miner with hardcoded wallet and node addresses. This campaign demonstrates the potential risks of insecurely published Docker APIs and the need for robust container security measures.",
  "published": "2025-05-21T21:03:23+00:00",
  "created_at": "2025-05-21T21:03:23+00:00",
  "modified_at": "2025-05-22T07:51:39+00:00",
  "created_at_opencti": "2025-05-21T21:03:23+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-21",
    "cloud",
    "container security",
    "cryptocurrency mining",
    "dero",
    "docker",
    "golang malware",
    "linux",
    "nginx",
    "persistence",
    "port scanning"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "h.windowsupdatesupport.link"
      },
      {
        "id": "",
        "name": "d.windowsupdatesupport.link"
      },
      {
        "id": "",
        "name": "e4aa649015b19a3c3350b0d897e23377d0487f9ea265fe94e7161fed09f283cf"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:cab8765c23ea1d60",
        "name": "Dero",
        "slug": "dero"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd",
        "name": "T1498"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/dero-miner-infects-containers-through-docker-api/116546",
    "https://otx.alienvault.com/pulse/682e5bbbcf6c65b71fba1504"
  ]
}