Ngrok Mining Botnet

The campaign will scan for vulnerable or exposed servers on ports 80, 8080, 2375, 5984, 6379 and 8545. These scans are performed either manually via Shodan, or automatically from previously compromised servers using JQ, Zgrab and Zmap. Once a vulnerable server has been identified, one of three distinct attack vectors are used:

• Exploiting known vulnerabilities in the targeted platforms to load a pre-configured Docker image containing an XMRig-based mining application.
• Creating bespoke Docker images containing the same miner alongside an IRC botnet module. These images are given names similar to those of legitimate images in order to mislead system administrators when loading images.
• Exploiting vulnerabilites before using the dockerd daemon to to escape the affected container. The attackers will then install their payloads directly on the device.

Once installed, the malware will enumerate all running process and terminate any that match a hard-coded list before installing the mining module. It will then send system and user information to a command and control server over the ngrok URL tunnelling service, from which the campaign takes its name. Certain images will then download a secondary module to scan for new targets.