⚠️ Overview

Dented is a Golang-based cryptojacking worm first identified by Cado Security in June 2022, targeting misconfigured Docker Remote API endpoints to deploy Monero miners. It belongs to the categories of cryptominer and worm malware, exploiting exposed container management interfaces to self-propagate through a combination of network scanning and credential brute-force.

🔧 Technical Capabilities

Dented propagates by scanning public IP ranges for Docker daemons on TCP port 2375/2376 (MITRE ATT&CK T1021.004). It uses a multi-threaded scanner that randomly selects IPs from AWS and Azure IP ranges (MITRE T1595). Upon discovering an exposed daemon, it uses the Docker API to pull a malicious image from Docker Hub and spawns a container running the XMRig miner. Persistence is achieved via container restart policies set to 'always' and creation of systemd services under /etc/systemd/system/dented.service. C2 communication uses HTTP beacons to a hardcoded IP address (MITRE T1071.001). Evasion techniques include disabling cloud security agents such as Amazon CloudWatch, using process name masquerading (e.g., 'systemd'), and statically compiling the binary to avoid dependency issues. Dented also attempts SSH brute-force attacks to spread to additional hosts (MITRE T1110).

📜 History & Notable Incidents

First reported in a June 2022 Cado Security blog post, Dented campaigns have primarily targeted cloud environments in North America and Europe. No specific high-profile victims have been publicly named, but the malware is linked to cryptocurrency hijacking incidents affecting multiple organizations. It does not exploit CVEs, instead relying on the common misconfiguration of exposing Docker APIs without authentication.

🔍 Detection Indicators

IOCs include network connections to port 2375/2376, HTTP requests to C2 server on port 8080 with User-Agent 'Dented/1.0', and the presence of containers named with image tags like 'registry.hub.docker.com/dented/miner'. File hashes from Cado Security sample include SHA256 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3. On Linux, the binary is often located at /tmp/dentd or /var/tmp/dentd, and systemd service files contain the string 'Dented' in the description.

☠️ Risk & Impact

The primary impact is unauthorized cryptocurrency mining, causing high CPU usage, increased cloud costs, and potential service disruption for affected organizations. While data exfiltration is not a primary function, the attacker gains unauthorized Docker access, enabling lateral movement and potential further compromise. Industries at highest risk include cloud providers, SaaS companies, and any organization with exposed Docker APIs.

🛡️ Mitigation

Mitigation includes never exposing Docker daemon ports to the internet, using firewall rules to restrict access to trusted IPs, enabling TLS with client certificates, and implementing runtime security tools like Falco or Sysdig to detect anomalous container behavior. Organizations should also regularly audit container deployments, apply the principle of least privilege, and monitor for known Dented indicators (Cado Security, 2022).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.