A Cryptominer hidden in a Docker Hub image
March 07, 2020

A malicious binary and a couple of malicious files were detected in the container image felilca/ubuntu:latest. The binary was detected in one of the image’s layers. During runtime the binary is set to hijacking the host’s resources. The image amassed over 50K pulls.

Type IOC Details
File e27e6e4010b81be6915cdb5bb225c579 Path: /root/c_sh
File 066ef9ef85f7fd0427f46a287407e038 Path: /root/config.json
File 438e9d2173b891c9268b547d32d57a30 Path: /root/startup.sh
Image felilca/ubuntu:latest https://hub.docker.com/r/felilca/ubuntu/tags
IP address 62[.]80[.]226[.]102 Attacker’s C2 server
IP address 206[.]189[.]165[.]199 Attacker’s IP address