Crypto Mining Campaign Targets Docker Environments with New Evasion Technique
Researchers at Darktrace and Cado Security have uncovered a sophisticated cryptojacking campaign targeting Docker environments. The attack leverages a novel technique to mine cryptocurrency covertly, bypassing traditional detection methods. Discover the intricate layers of obfuscation and the potential implications for Docker security.
TL;DR
A new cryptojacking campaign has been discovered targeting Docker environments. The malware uses advanced obfuscation techniques to mine cryptocurrency covertly, highlighting the evolving tactics of cybercriminals.
Main Content
Researchers from Darktrace and Cado Security have identified a sophisticated malware campaign targeting Docker environments. This campaign employs a novel technique to secretly mine cryptocurrency, highlighting the evolving tactics of cybercriminals1.
Malware Campaign Overview
The malware campaign targets Docker environments to deploy a malicious node connected to Teneo, a decentralized infrastructure network. Teneo allows users to earn rewards (Teneo Points) by running Community Nodes that scrape public data from social platforms like Facebook, X, Reddit, and TikTok. These points can be converted to $TENEO tokens, which the malware covertly monetizes1.
Attack Chain Analysis
The attack begins with a request to launch a container from Docker Hub, specifically the kazutod/tene:ten image. Researchers analyzed this malicious Docker image by pulling and saving it as a tar file for easier inspection. Upon extracting the tar file, experts found that the image uses the OCI format, where contents are organized in layers1.
“The Docker image uses the OCI format, which is different from a regular file system. Instead of having a static folder of files, the image consists of layers. Each layer is stored as a tar file, along with a JSON metadata file.”
Obfuscation Techniques
The ten.py script included in the malicious Docker image is heavily obfuscated using multiple layers of base64 encoding, zlib compression, and string reversal. The script decodes and executes a payload repeatedly, requiring 63 iterations before the actual malicious code is revealed. Despite the complex obfuscation process, the decoding process was easily automated, suggesting the effort was meant to deter casual analysis rather than seriously hinder experts1.
Evasion Tactics
The malicious script connects to teneo[.]pro, but instead of scraping, it sends fake keep-alive pings to earn “Teneo Points” based on activity levels. This tactic allows the malware to evade common detection techniques for XMRig-based cryptojacking attacks. The attacker’s DockerHub profile suggests similar abuse of decentralized compute networks. However, due to the closed nature of private tokens like Teneo, it’s unclear how profitable this method is1.
Additional Observations
The attacker’s DockerHub profile shows a pattern of abuse, with their latest container running a Nexus network client to earn crypto via distributed zero-knowledge compute tasks1.
“Translating a user ID to a wallet address does not appear to be possible, and there is limited public information about the tokens themselves.”
Conclusion
This campaign highlights the evolving tactics of cryptojacking attacks, where attackers are shifting to alternative methods of generating crypto to evade detection. The profitability of these methods remains uncertain due to the closed nature of private tokens.
References
Additional Resources
For further insights, check: