Forensic Analysis of Cryptojacking in Host-based Docker Containers Using Honeypots

Abstract

Blockchain-based cryptocurrencies have transformed financial transactions and created opportunities to profit from generating new coins through cryptomining. This has led to cybercriminals stealthily using their victim’s computational power and resources for their own profit. Recent trends point to an increase in cryptojacking malware targeting devices with greater processing power such as host-based docker engines for faster and greater profit. In our study, we perform a forensic analysis for detecting cryptojacking (i.e., unauthorized cryptomining) in Docker containers using honeypots. Then, we present countermea- sures for securing host-based Docker containers. In addition, we propose an approach for monitoring host-based Docker containers for cryptojacking detection. To the best of our knowledge, this is the first study investigating cryptojacking detection with the use of a honeypot system. Our results reveal that host resource usage and network traffic are the key indicators of possible unauthorized cryptomining in Docker containers.