Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[zoolu2/*] Mining malware from "marumira" under different account #1809

Closed
btx3 opened this issue May 5, 2019 · 14 comments

Comments

Projects
None yet
3 participants
@btx3
Copy link

commented May 5, 2019

All images on the zoolu2 Docker Hub account are either the exact same or extremely similar to the one pointed out in issue #1807 (XMR miner, automatic spreading through Shodan, etc.), except some now use multiple Shodan accounts instead of just one.

@btx3

This comment has been minimized.

Copy link
Author

commented May 6, 2019

Hi,

Bumping this to let you know this is still an ongoing attack:
img
(image from my Docker honeypot)

@btx3 btx3 changed the title [zoolu2/*] "marumira" under different account [zoolu2/*] Mining malware from "marumira" under different account May 6, 2019

@Caprico1

This comment has been minimized.

Copy link

commented May 16, 2019

https://www.shodan.io/search?query=docker+%22zoolu2%22+port%3A2375

Ran across this yesterday. Seems like zoolu2 images could be still actively exploiting systems. Saw a result come in on a machine in Poland today that wasn't there last night.

Are these images still from zoolu2 still propagating in your honeypot?

I'm not seeing anything on shodan for that other image.

@btx3

This comment has been minimized.

Copy link
Author

commented May 16, 2019

Yup, I've been seeing multiple different images from the same account:

Imgur

@Caprico1

This comment has been minimized.

Copy link

commented May 17, 2019

Thanks,
I'm going to be looking at them closer in a VM here in a bit. I'll let you know if I find anything.

@Caprico1

This comment has been minimized.

Copy link

commented May 17, 2019

looks like the mini1 image is making a callout to some server.
image

I'm going to keep digging but I'll check back.

Can you see any outbound traffic from your honey pot?

@Caprico1

This comment has been minimized.

Copy link

commented May 17, 2019

Okay looks like a couple of them are going out and querying shodan looking for port 2375. It's almost exactly asking the link that I sent earlier.

@Caprico1

This comment has been minimized.

Copy link

commented May 17, 2019

So....I found something ping me on twitter @Suprn8 and I'll give you the rest. I don't want to tip this guy off.

@btx3

This comment has been minimized.

Copy link
Author

commented May 18, 2019

Sorry, didn't see the emails. About the outbound traffic, there is some through tor, so I don't exactly know where it's going. It also seems to use multiple Shodan accounts instead of just one like in the previous image.

Also, the mining endpoint is to Nicehash (same account name), so a report should stop the mining.

@Caprico1

This comment has been minimized.

Copy link

commented May 18, 2019

yeah I found the onion link at least for the Auto image. Dm me on twitter and I'll share what I've got.

@Caprico1

This comment has been minimized.

Copy link

commented May 19, 2019

https://twitter.com/Suprn8/status/1129877707897081856

Got confirmation from shodan that those accounts are deactivated they won't propogate anymore

@manishtomar

This comment has been minimized.

Copy link
Member

commented May 20, 2019

I've disabled zoolu2 account. Thanks for the report.

@Caprico1

This comment has been minimized.

Copy link

commented May 24, 2019

He's back.

The user is Pavlov32. The image is pavlov32/auto
https://hub.docker.com/r/pavlov32/auto

it has the exact same code minus a 0 byte file named pavlov (i assume to get passed some file hash tests)

I am contacting John Matherly again to get the accounts disabled.

@manishtomar

This comment has been minimized.

Copy link
Member

commented May 24, 2019

I've disabled this account also pavlov32. Thanks for the report.

@Caprico1

This comment has been minimized.

Copy link

commented May 27, 2019

and again,

user is zoolu2 image is zoolu2/jauto.
https://hub.docker.com/r/zoolu2/jauto

exactly the same code. and it even links to pavlov32.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.