Wiz Threat Research discovered a new variant of a cryptojacking campaign targeting misconfigured Kubernetes clusters in cloud environments. The threat actor abuses cluster anonymous access to deploy malicious container images from Docker Hub that contain a DERO miner. The threat actor has adapted their tactics since March 2023, employing methods like hardcoding wallet and mining pool information to evade detection.
In the activity observed by Wiz Threat Research, the attacker gains initial access to cloud environments by abusing publicly accessible Kubernetes API server with anonymous authentication enabled. This allows unauthorized users to gain minimal permissions and exploit non-default roles for malicious purposes. After gaining initial access, the attackers deploy various cryptominer workloads across multiple namespaces using benign-looking names like k8s-device-plugin and pytorch-container to blend in with legitimate resources. They use Docker Hub images containing a UPX-packed DERO miner named "pause" (designed to mimic the legitimate "pause" container that sets up network namespaces for Kubernetes pods).
The attackers have hardcoded encrypted wallet addresses and mining pool URLs into the miner executable, allowing it to run without suspicious command line arguments, most likely as a defense evasion technique. Further investigation revealed that the attackers updated their Docker Hub repository images since this activity was originally reported in March 2023, and registered new domains to mask their malware's communication with mining pools. The attacker also employed various methods to propagate within target cloud environments, including exploiting other misconfigurations and using additional tools like a dropper script to neutralize competing cryptojacking activity and tamper with system logs.
By pivoting on IOCs identified during the investigation in public malware repositories, Wiz Threat Research also uncovered additional related tools and activities, which suggest that the threat actor is also targeting different types of environments besides Kubernetes clusters. This adaptive and versatile approach highlights the threat actor's efforts to stay ahead of detection mechanisms and maintain their cryptojacking operations over time.