[zoolu2/*] Mining malware from "marumira" under different account

[bs3vcenk]

All images on the zoolu2 Docker Hub account are either the exact same or extremely similar to the one pointed out in issue #1807 (XMR miner, automatic spreading through Shodan, etc.), except some now use multiple Shodan accounts instead of just one.

[bs3vcenk]

Hi,

Bumping this to let you know this is still an ongoing attack:

(image from my Docker honeypot)

[Caprico1]

https://www.shodan.io/search?query=docker+%22zoolu2%22+port%3A2375

Ran across this yesterday. Seems like zoolu2 images could be still actively exploiting systems. Saw a result come in on a machine in Poland today that wasn't there last night.

Are these images still from zoolu2 still propagating in your honeypot?

I'm not seeing anything on shodan for that other image.

[bs3vcenk]

Yup, I've been seeing multiple different images from the same account:

[Caprico1]

Thanks,
I'm going to be looking at them closer in a VM here in a bit. I'll let you know if I find anything.

[Caprico1]

looks like the mini1 image is making a callout to some server.

I'm going to keep digging but I'll check back.

Can you see any outbound traffic from your honey pot?

[Caprico1]

Okay looks like a couple of them are going out and querying shodan looking for port 2375. It's almost exactly asking the link that I sent earlier.

[Caprico1]

So....I found something ping me on twitter @Suprn8 and I'll give you the rest. I don't want to tip this guy off.

[bs3vcenk]

Sorry, didn't see the emails. About the outbound traffic, there is some through tor, so I don't exactly know where it's going. It also seems to use multiple Shodan accounts instead of just one like in the previous image.

Also, the mining endpoint is to Nicehash (same account name), so a report should stop the mining.

[Caprico1]

yeah I found the onion link at least for the Auto image. Dm me on twitter and I'll share what I've got.

[Caprico1]

https://twitter.com/Suprn8/status/1129877707897081856

Got confirmation from shodan that those accounts are deactivated they won't propogate anymore

[manishtomar]

I've disabled zoolu2 account. Thanks for the report.

[Caprico1]

He's back.

The user is Pavlov32. The image is pavlov32/auto
https://hub.docker.com/r/pavlov32/auto

it has the exact same code minus a 0 byte file named pavlov (i assume to get passed some file hash tests)

I am contacting John Matherly again to get the accounts disabled.

[manishtomar]

I've disabled this account also pavlov32. Thanks for the report.

[Caprico1]

and again,

user is zoolu2 image is zoolu2/jauto.
https://hub.docker.com/r/zoolu2/jauto

exactly the same code. and it even links to pavlov32.