Ali Cloud Security recently discovered a botnet gang that uses unauthorized access vulnerability to deploy malicious Docker images for mining. We named this gang Xulu because it uses this string as its username for mining.

Xulu isn’t the first malicious mining gang to attack Docker, but it’s different from other botnets. Once Xulu infects a server, instead of performing a large-scale scan, Xulu uses OSINT technology, which uses open source intelligence to dynamically obtain a list of possible “prey” IP addresses from the Shodan website.

In addition, the Xulu botnet has placed its own servers in the Tor Onion network, making it harder to trace who is behind it.




Will mine malicious Docker images

Docker container is an open source application container engine that allows developers to package their applications and dependencies into a lightweight, portable container that runs reliably in different environments.

In recent years, with the popularity of microservices, more and more enterprises use containers when deploying applications. However, security is often not given due attention in this process, resulting in Docker containers becoming targets of network attacks in several incidents.

In the Xulu botnet incident, we noticed that malicious containers with the mirror name zoolu2/ Auto were created on the captured servers.




These malicious containers run the following processes



The mining process is easy to identify:

/toolbin/darwin -o us-east.cryptonight-hub.miningpoolhub.com:20580 -u xulu.autodeploy -p x --currency monero -i 0 -c conf.txt -rCopy the code

Although Miningpoolhub.com is a public miningpool, since it does not provide historical revenue data for each user, there is no way to know how much money the attackers have collectively made from malicious mining.

Botnet propagation and persistence

The Xulu botnet uses OSINT technology and the Onion Network for its own propagation and persistence.

First of all, the control of a botnet server address is wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd onion.” The.onion” suffix indicates an “Onion service” (aka “hidden service”) that must be accessed through the Onion anonymous network.




The botnet uses /toolbin/shodaemon as its daemon:




It is not hard to see the script to download the wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd. Onion/shodan. TXT, TXT with the contents of the hardcoded /toolbin/hcode. TXT file





Run/Toolbin /shodan to read the search.txt list and send the query shown above to shodan.

These queries return a series of host IP addresses on the Internet that have Docker services open (port 2375). While not every one of these hosts was vulnerable, the attackers were able to avoid large-scale scans by using Shodan’s information.



After obtaining the list of hosts using Docker service and removing duplicate IP addresses, the captured host will send Docker run command to the IP in the table, and the Docker service with unauthorized access vulnerability will be deployed “Zoolu2 / Auto” malicious image to complete the spread of the worm.

In addition, Xulu botnets will download and execute every 30 minutes from wg6kw72fqds5n2q2x6qjejenrskg6i3dywe7xrcselhbeiikoxfrmnqd. Onion/bnet1. TXT download script, to maintain itself in the victims on the host is active.

Damage scale and safety recommendations

As you can see from docker Hub’s official website, the aforementioned “Zoolu2 / Auto” has been downloaded more than 10,000 times:




And botnet authors still seem to be actively developing variations:




  • In order to prevent you from becoming the victim of such malicious intrusion and mining incidents, Ali Cloud Security provides you with the following security recommendations:
  • Do not leave services for internal use (like Docker) open on the Internet, and use measures such as ACLs or complex passwords to ensure that only trusted users can access them.
  • Since the Onion-based “hidden service” has been used to spread multiple botnets, users who do not use the Onion-based service often can run the echo -e “n0.0.0.0. onion” >> /etc/hosts command to block it
  • We recommend you to use the next generation firewall of Aliyun, because it is very effective in preventing and blocking such attacks that require external communication. With the help of AI technology, users will be free from malicious mining incidents
  • We also recommend aliyun security Butler service. Users of the service can consult security experts whenever they encounter problems. Security experts can also help users with security hardening, event tracing, and worm cleanup


The original link

This article is the original content of the cloud habitat community, shall not be reproduced without permission.