Kaspersky Detects Dero Cryptocurrency Miner Targeting Exposed Docker APIs
Kaspersky Security Services has uncovered a sophisticated cyberattack campaign leveraging exposed Docker APIs to distribute a miner for the Dero cryptocurrency. The discovery was made during a compromise assessment initiative, highlighting the ongoing risks to containerized environments.
According to Kaspersky experts, the attackers are exploiting insecurely published Docker API ports—an issue that persists globally, with an average of 485 exposed instances each month. These vulnerabilities are used to either compromise existing containers or create new malicious ones based on legitimate Ubuntu images.
Once access is gained, two types of malware are injected: one acts as the miner, while the other ensures persistence and enables the infection to spread to additional targets. Notably, the malware components are named “nginx” and “cloud” in an attempt to disguise their true function.
“The campaign demonstrates the risk of exponential spread, with each compromised container capable of infecting others,” said Amged Wageh, incident response and compromise assessment expert at Kaspersky. “Containers are foundational to modern software development, and securing them requires a comprehensive, proactive approach.”
Key Findings:
Attackers bypass traditional command-and-control servers by enabling infected containers to independently scan for new targets.
The malware operates silently, using binary-level masquerading techniques to blend into legitimate container processes.
Targeted entities may include cloud service providers, software development firms, hosting platforms, and enterprises relying on DevOps infrastructure.
Recommendations from Kaspersky:
Refrain from publishing Docker APIs unless operationally necessary, and secure exposed endpoints using TLS.
Conduct regular compromise assessments to detect both active and stealthy intrusions.
Implement container-specific security solutions such as Kaspersky Container Security to protect both development and runtime environments.
Utilize managed services including Compromise Assessment, Incident Response, and Managed Detection and Response (MDR) for full-spectrum protection.
Full technical details of the campaign are available on Securelist. Kaspersky products detect the malware under the verdicts Trojan.Linux.Agent.gen and RiskTool.Linux.Miner.gen.