Three large-scale campaigns focused Docker Hub customers, planting hundreds of thousands of repositories that pushed malware and phishing websites since early 2021.
As JFrog safety researchers discovered, round 20% of the 15 million repositories hosted by Docker Hub contained malicious content material, starting from spam to harmful malware and phishing websites.Â
The researchers found nearly 4.6 million repositories containing no Docker photos—which could not be run utilizing a Kubernetes cluster or a Docker engine—and linked roughly 2.81 million to 3 massive malicious campaigns.Â
Every of those campaigns used totally different ways to create and distribute the malicious repositories. The “Downloader” and “eBook Phishing” campaigns created faux repositories in batches, whereas the “Website SEO” marketing campaign created a number of repositories day by day and used a single person per repository.
The “Downloader” marketing campaign contained robotically generated texts with web optimization textual content selling pirated content material or cheats for video video games and hyperlinks to the software program.
“This campaign operated in two distinct rounds (circa 2021 and 2023), and both rounds used exactly the same malicious payload, a malicious executable that most antivirus engines detect as a generic Trojan,” mentioned JFrog.
When executed, the malware payload it pushed shows an set up dialog that asks the person to obtain and set up the marketed software program. Nevertheless, it can obtain all of the malicious binaries from the supply as a substitute and schedule their persistent execution on the now compromised system.
JFrog suspects that this can be half of a bigger malware operation, which might contain adware or monetization schemes that concentrate on units contaminated after putting in third-party software program.
​The “eBook Phishing” marketing campaign created practically 1,000,000 repositories providing free eBook downloads and containing randomly generated descriptions and obtain URLs. After promising a full free model of an eBook, the web site redirects the targets to a phishing touchdown web page asking them to enter their bank card data.
Not like the earlier two campaigns, the “Website SEO” marketing campaign’s intention is unclear. Whereas the content material is generally innocent, all repositories have the identical title: “website.”
“It is possible that the campaign was used as some sort of a stress test before enacting the truly malicious campaigns,” mentioned JFrog.
Along with the big campaigns, smaller repositories with lower than 1000 packages have been created in different campaigns, primarily specializing in pushing spam and web optimization content material.
JFrog alerted the Docker safety staff of their findings, which included 3.2 million repositories suspected of internet hosting malicious or undesirable content material. Docker has since eliminated all of the repositories from Docker Hub.
“Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub’s platform credibility, making it more difficult to identify the phishing and malware installation attempts,” JFrog added.
“Almost three million malicious repositories, some of them active for over three years highlight the attackers’ continued misuse of the Docker Hub platform and the need for constant moderation on such platforms.”
