Xanthe Malware

Docker instances are once again the prime target of a new cybercrime gang, which has unleashed the Xanthe Malware. This threat only runs on Linux systems, and it specializes in exploiting poorly configured Docker instances. Once it infiltrates a system, the malware will try to deploy an XMRig-based cryptocurrency miner, which will utilize the infected server's resources to mine for cryptocurrency. In addition to dropping a payload, the Xanthe Malware also tries to spread laterally on a network by collecting credentials and certificates.

Often, Trojanized cryptocurrency mining software targets Windows machines because it allows the malware to infiltrate a large number of systems. However, the Xanthe Malware goes after Linux servers exclusively, and it further limits the pool of potential victims by exploiting vulnerable Docking installations exclusively.

The Xanthe Malware Infects Docker Instances to Plant Trojanized Cryptocurrency Miners

Dropping a cryptocurrency mining utility is not the only activity that the Xanthe Malware partakes in. It also uses several pre-made scripts to disable security services and other cryptocurrency miners. It tries to hide the process-hiding module too, and checks for other cryptocurrency mining Trojans, which will be disabled.

Misconfigured Docker services continue to be the primary target of cybercriminals, and the Xanthe Malware is just one of the many threats to go after Docker in 2020. In the past months, Docker instances have been targeted by the TeamTNT Criminal Group, as well as by threatening malware like Graboid. Servers running Docker can be protected by employing reliable anti-malware software, as well as by making sure that all of Docker's security settings are configured properly.