Malware overview – Graboid

November 20, 2019 by

Daniel Dimov

Introduction

In October 2019, security researchers from Unit 42 at Palo Alto Networks discovered a new malware called Graboid. It is a cryptojacking malware that spreads by using containers in the docker engine. This innovative propagation technique makes Graboid difficult to detect because most endpoint protection software does not analyse data in docker engine containers. Although the current version of Graboid is not very sophisticated, it has a potential to evolve into a much more powerful cryptojacking malware.

This article explains how Graboid infects other computers, the cryptojacking activities conducted by Graboid, and the measures organizations can take to protect against it.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

Infection

Graboid spreads through unsecured docker daemons. More specifically, it runs a docker image on a compromised host. The image includes a docker client tool that is able to communicate with other docker hosts. Graboid downloads four scripts, namely, live.sh, worm.sh, cleanxmr.sh, and xmr.sh. It repeatedly executes each of them in the same order. The consequences of executing the scripts will be examined in more detail below.

Live.sh

After the execution of live.sh, the compromised host submits information about the number of available central processing units (CPUs) to the command and control servers associated with Graboid.

Worm.sh

The execution of the file worm.sh leads to the download of a file called “IP”. It contains a list of more than 2000 IP addresses of hosts with unsecured docker API endpoints. Once the file is downloaded, Graboid randomly picks one of the IP addresses in the list and uses the docker client tool to spread itself to the unsecured host.

Cleanxmr.sh

cleanxmr.sh has a rather unexpected function. It randomly selects one of the unsecured hosts and stops the cryptojacking activities running by Graboid on that host.

xmr.sh

xmr.sh has a function that is opposite to cleanxmr.sh. More particularly, xmr.sh randomly selects one of the vulnerable hosts from the aforementioned IP file and deploys Graboid on it.

The exact reason for the unusual operation of Graboid remains a mystery. In this regard, the researchers from Unit 42 at Palo Alto Networks noted that: “The motivation for this randomized design is unclear. It can be a bad design, an evasion technique (not very effective), a self-sustaining system or some other purposes.” Researchers have chosen the name “Graboid” due to the on-and-off operation of the malware. The name refers to the sandworm in the movie “Tremors”. It moves in short bursts of speed, but is generally not very skilled.

Cryptojacking activities

Once installed on an infected computer, Graboid starts mining Monero tokens. The fraudsters likely have chosen Monero because it is faster and more straightforward to mine than Bitcoin. The research conducted by Unit 42 at Palo Alto Networks indicated that each infected computer is engaged in mining operations 63% of the time and the length of each mining period is 250 seconds. The same research report has shown that currently more than 2,000 docker engines are insecurely exposed. If Graboid succeeds to infect all those docker engines, it may bring substantial revenue to its creators. The Kaspersky Lab Anti-Malware Research team found that a cryptocurrency mining botnet of 5,000 machines may bring more than USD 200,000 to its owners.

Preventing an infection with Graboid

Organizations willing to prevent an infection with Graboid need to ensure that:

1. Their machines conduct frequent checks for unknown docker images or containers.
2. They use cloud security solutions which are able to identify malicious docker engine containers
3. No docker images are received from unknown user namespaces or registries.
4. Unix socket is used to communicate with a docker daemon locally. Alternatively, a secure shell (SSH) can be used to connect to a remote docker daemon.
5. No docker daemon is exposed to the Internet without an adequate authentication mechanism. It is worth mentioning that the docker engine (Community Edition) is not exposed to the Internet by default.
6. Firewall rules are used to whitelist the incoming traffic to a small number of sources.

Conclusion

Graboid is a rather weird malware, as its randomized functionality is difficult to be explained. Nevertheless, it should not be underestimated. It needs just 60 minutes to reach 1,400 vulnerable hosts. 900 of those infected hosts will be active miners at any time. Without taking proper security measures, Graboid may transform entire organizations into factories for cryptocurrencies. Furthermore, Graboid is able to periodically download new scripts from its command and control centre. Such scripts may update the functionality of the malware and make it more dangerous and unpredictable.

It should be noted that Graboid is just one of the many cryptojacking malware applications. Organizations willing to ensure a high level of information security need to have strategies aiming to prevent and neutralize all types of cryptojacking malware. This is especially important as the number of attacks using such cryptojacking malware are likely to increase in the future. In 2017 alone, there was a 34,000% increase in coin mining attacks. Even the Australian, US, and UK governments as well as large companies, such as Starbucks and Tesla, have been compromised by cryptojacking malware.

References

1. Arghire, I., ‘’Graboid’ Crypto-Jacking Worm Targets Docker Hosts’, Security Week, 16 October 2019. Available at https://www.securityweek.com/graboid-crypto-jacking-worm-targets-docker-hosts.
2. Attrill-Smith, A., Fullwood, C., Keep, M., Kuss, D., ‘The Oxford Handbook of Cyberpsychology’, Oxford University Press, 2019.
3. Chen, J., ‘Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub’, Palo Alto Networks, 16 October 2019. Available at https://unit42.paloaltonetworks.com/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub/.
4. Coble, S., ‘A New Strain of Malware Is Terrorizing Docker Hosts’, Infosecurity Magazine, 19 October 2019. Available at https://www.infosecurity-magazine.com/news/graboid-terrorizing-docker-hosts/.
5. Ilascu, I., ‘Unsecured Docker Hosts Attacked by New Graboid Cryptojacking Worm’, Bleeping Computer, 16 October 2019. Available at https://www.bleepingcomputer.com/news/security/unsecured-docker-hosts-attacked-by-new-graboid-cryptojacking-worm/.
6. Kaspersky Lab, ‘’Mining’ Botnets are Back - Infecting Thousands of PCs, Generating Hundreds of Thousands of Dollars for Criminals’, 12 September 2017. Available at https://www.kaspersky.com/about/press-releases/2017_mining-botnets-are-back-infecting-thousands-of-pcs.
7. McDonough, B., ‘Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals’, John Wiley & Sons, 2018.