A Python based Cryptominer found hidden in the image yrubertzh/AWS
August 18, 2020

A python script and a shell script are downloaded from a remote source while running the container image yrubertzh/aws:latest. Once executed the scripts are set to hijacking the host’s resources. The image amassed 108 pulls.

Type IOC Details
File cfaabc91175a3598dc92cd542f0ca48e Path: /aws.py
File 8be09fc24d427523a2255c0dd772459c Path: venv/ubuntu_tor.sh
Image yrubertzh/aws:latest https://hub.docker.com/r/yrubertzh/aws
IP address 64[.]227[.]85[.]51 Attacker’s IP address