A new cryptomining campaign has been detected minting the not-so-popular Dero cryptocurrency because it serves one of the biggest purposes of criminals of anonymity.
Dero cryptojacking via Kubernetes
According to Crowdstrike researchers, this first-ever Dero-based cryptojacking campaign has been active since last month.
The campaign focuses on harnessing the processing power of Kubernetes clusters exposed to the internet via Kubernetes API.
The attack begins with an open scan for Kubernetes clusters with a specific setting (authentication set as --anonymous-auth=true), that allows the cluster to accept anonymous requests.
Upon successful intrusion, initial payloads (Docker images) are dropped from three U.S.-based IP addresses.
The payloads include a Kubernetes DaemonSet, named proxy-api, which drops a malicious pod on every node of the Kubernetes cluster to start mining Dero.
Hosted on Docker Hub, the malicious pod images have a modified CentOS 7, along with two additional files: entrypoint[.]sh (script to initialize the miner with a hardcoded address) and pause (the actual coin miner that mines Dero).
Why Dero?
Dero is a relatively new cryptocurrency that offers robust privacy and anonymity to its users.
It uses the Directed Acyclic Graph (DAG) technology, providing complete anonymity for its transactions.
According to its website, Dero provides features such as instant full confirmation of block transactions, a highly decentralized network, and distribution of rewards.
Such features offer more rewards for miners in comparison to Monero and other cryptocurrencies.
Ending notes
Cryptojacking campaigns targeting Docker and Kubernetes are nothing new. In the past, Kinsing malware and Kiss-a-Dog Campaign have been observed targeting this combination for illegitimate cryptomining. However, mining of Dero indicates that attackers are exploring alternative options to Monero while enjoying better anonymity and returns. Experts suggest organizations take caution by regulating and updating their cloud-hosted images and conducting regular audits of all the exposed cloud infrastructure.