Kaspersky Lab researchers have uncovered a sophisticated large-scale malware campaign targeting Docker container environments with the Dero cryptocurrency miner. The attack leverages automated exploitation techniques against unsecured Docker APIs, posing a significant threat to organizations utilizing container infrastructure for their operations.

Attack Surface and Target Profile

The campaign primarily targets technology companies, software developers, hosting providers, and cloud service operators with inadequately protected Docker API endpoints. According to Shodan intelligence, approximately 485 Docker APIs are exposed monthly on standard ports globally, including regions across Russia and CIS countries, creating an extensive attack surface for malicious actors.

Technical Analysis of the Malware Campaign

The attack utilizes two primary malicious components developed in Go: nginx and cloud. While the cloud component functions as the Dero mining payload, the nginx component (deliberately named after the popular web server to avoid detection) manages deployment and propagation operations. This sophisticated architecture demonstrates the attackers’ advanced understanding of container environments.

Innovative Propagation Mechanism

A notable characteristic of this campaign is its decentralized nature, operating without traditional command-and-control infrastructure. Infected containers autonomously scan networks and propagate the malware, significantly complicating detection and mitigation efforts. The threat actors have modified the open-source DeroHE CLI project, incorporating specialized mining configurations into the codebase.

Historical Context and Campaign Evolution

Security researchers have established connections between this campaign and previous attacks targeting Kubernetes clusters throughout 2023-2024. While earlier incidents utilized similar cryptocurrency wallets and derod nodes, they employed less sophisticated methodologies and lacked automated propagation capabilities, indicating a significant evolution in attack sophistication.

This emerging threat underscores the critical importance of implementing robust security measures for container environments. Organizations should prioritize securing Docker APIs through strict access controls, regular security audits, and comprehensive monitoring systems. Essential protective measures include implementing the principle of least privilege, maintaining current security patches, and conducting regular infrastructure security assessments. Additionally, organizations should consider implementing container-specific security solutions and establishing incident response procedures specifically tailored to container-based attacks.