JFrog’s security research team has uncovered three large-scale malware campaigns infiltrating Docker Hub, a platform facilitating Docker image development, collaboration, and distribution. These campaigns have deployed millions of malicious “imageless” containers, exploiting Docker Hub’s community features.
Docker Hub hosts a staggering 12.5 million repositories, but according to JFrog, approximately 25% serve no useful functionality. Instead, they act as vehicles for spam, pirated content promotion, and malware dissemination, posing a significant threat to unsuspecting users.
Exploiting Community Features: Malicious Documentation Pages
The attack on Docker Hub exploited its community features, allowing users to publish repositories with only documentation pages, devoid of actual container images. Disguised as legitimate content, these documentation pages lead users to phishing and malware-hosting websites, putting their systems at risk.
Three Major Malware Campaigns Identified
Through an analysis of Docker Hub image creation patterns over the past five years, the research team identified over four million imageless repositories, constituting 37% of all public repositories. Further investigation revealed three main malware campaigns:
- Downloader Campaign: Offers pirated content and game cheats as bait.
- eBook Phishing Campaign: Lures users with free eBook downloads to steal credit card information.
- Website Campaign: Characterized by randomly generated repositories with benign descriptions.
Each campaign employed distinct tactics to evade detection, such as URL shorteners and open redirect bugs. The payloads of these campaigns, predominantly Trojans, communicated with command-and-control (C2) servers to download additional malware and execute persistent tasks on infected systems.
Call for Enhanced Moderation and Community Involvement
These findings highlight the need for enhanced moderation on Docker Hub and greater community involvement in detecting and mitigating malicious activity. Andrey Polkovnichenko, security researcher at JFrog, warned, “The most concerning aspect of these three campaigns is that there is not a lot that users can do to protect themselves at the outset other than exercising caution.”
Polkovnichenko added, “These threat actors are highly motivated and are hiding behind the credibility of the Docker Hub name to lure victims. As Murphy’s Law suggests, if malware developers can exploit something, it inevitably will be, so we expect that these campaigns can be found in more repositories than just Docker Hub.”