Crypto Mining Campaign Targets Docker Environments with New Evasion Technique

A new malware campaign has been spotted targeting Docker environments using an innovative technique to secretly mine cryptocurrency, according to researchers from Darktrace and Cado Security. This malicious campaign aims to deploy a malicious node connected to Teneo, a decentralized infrastructure network that allows users to earn rewards by running Community Nodes that scrape public data from social platforms like Facebook, X, Reddit, and TikTok.

The attackers use the Teneo Points system to monetize social media bandwidth, which is a novel approach in the cryptojacking space. The attack chain begins with a request to launch a container from Docker Hub, specifically the kazutod/tene:ten image. Researchers analyzed this malicious Docker image and found that it uses the OCI format, which is different from traditional file systems.

Each layer of the Docker image is stored as a tar file with accompanying JSON metadata, rather than being part of a traditional file system. The researchers used Docker tools to pull and save the image as a tar file for easier inspection. Upon extracting the tar, they found that the image uses layers to organize its contents, making it difficult to analyze.

The researchers analyzed the ten.py script included in the malicious Docker image and discovered that it is heavily obfuscated using multiple layers of base64 encoding, zlib compression, and string reversal. The script decodes and executes a payload repeatedly, each time generating another encoded string to decode, requiring 63 iterations before the actual malicious code is revealed.

Despite the complex obfuscation process, the researchers pointed out that the decoding process was easily automated, suggesting that the effort was likely meant to deter casual analysis rather than seriously hinder experts. The malicious script connects to teneo[.]pro, however, instead of scraping, it sends fake keep-alive pings to earn "Teneo Points" based on activity levels.

This tactic allows evading common detection techniques for XMRig-based cryptojacking attacks. The attacker's DockerHub profile suggests similar abuse of decentralized compute networks. However, due to the closed nature of private tokens like Teneo, it's unclear how profitable this method is.

Traditionally, cryptojacking attacks rely on using XMRig to directly mine cryptocurrency, however as XMRig is highly detected, attackers are shifting to alternative methods of generating crypto. Whether this new approach is more profitable remains to be seen. There is not currently an easy way to determine the earnings of the attackers due to the more "closed" nature of the private tokens.

Translating a user ID to a wallet address does not appear to be possible, and there is limited public information about the tokens themselves. The researchers conclude that this new evasion technique used by the attackers highlights the ongoing cat-and-mouse game between cybercriminals and security experts.

Conclusion

This malware campaign demonstrates how attackers are adapting to evade detection and exploit new vulnerabilities in Docker environments. As the threat landscape continues to evolve, it's essential for organizations to stay vigilant and implement robust security measures to protect their infrastructure from such attacks.