Cybersecurity researchers have warned of an ongoing cryptojacking campaign exploiting misconfigured Kubernetes clusters to mine Dero money.

Cloud security firm Wiz, which revealed the activity, stated that it is an enhanced version of a financially motivated operation previously identified by CrowdStrike in March 2023.

“In this incident, the threat actor abused anonymous access to an Internet-facing cluster to launch malicious container images hosted on Docker Hub, some of which have more than 10,000 pulls,” said Wiz researchers Avigayil Mechtinger, Shay Berkovich, and Gili Tikochinski. “These Docker images contain a UPX-packed Dero miner named ‘pause.'”

To gain initial access, the miner payloads are delivered to externally accessible Kubernetes API servers that have anonymous authentication enabled.

You might be interested in: Cox Modem Vulnerabilities Threaten Millions

Unlike the 2023 version, which used a Kubernetes DaemonSet called “proxy-api,” the current variant uses seemingly innocent DaemonSets called “k8s-device-plugin” and “pytorch-container” to eventually launch the miner on all nodes in the cluster.

Furthermore, the container’s name “pause” is an effort to pass itself off as the legitimate “pause” container, which is used to bootstrap a pod and ensure network isolation.

The bitcoin miner is an open-source Go binary with hard-coded wallet addresses and configurable Dero mining pool URLs. It is additionally obfuscated with the open-source UPX packer to prevent analysis.

The primary tactic is that by embedding the mining configuration into the code, the miner can be launched without using command-line inputs, which are typically monitored by security systems.

Wiz claimed it discovered further tools created by the threat actor, including a Windows sample of a UPX-packed Dero miner and a dropper shell script meant to stop competing miner processes on an affected host and remove GMiner from GitHub.

“[The attacker] registered domains with innocent-looking names to avoid raising suspicion and to better blend in with legitimate web traffic while masking communication with otherwise well-known mining pools,” according to the investigators.

“These combined tactics demonstrate the attacker’s ongoing efforts to adapt their methods and stay one step ahead of defenders.”