[marumira/jido] Mining malware/worm #1807
This image is a worm/botnet/whatever targeting unsecured Docker API instances (port tcp/2375).
It uses Tor to update its mining config and continuously scrapes Shodan for exposed Docker instances (with a hardcoded user/pass which I changed) to infect them as well. It also sets up an SSH server, with a hashed password for the root user (basically a backdoor account).
My honeypot didn't pick it up yet, but I've seen it all over Shodan recently: https://www.shodan.io/search?query=product%3ADocker+marumira
It seems to be frequently updated, with the last update (as of writing) being 5 hours ago.