Crypto mining campaign targets Docker environments with new evasion technique

Crypto mining marketing campaign targets Docker environments with new evasion approach

New malware marketing campaign targets Docker environments utilizing unknown strategies to secretly mine cryptocurrency, researchers warn.

Researchers from Darktrace and Cado Security have noticed a malware marketing campaign that targets Docker environments with a novel approach to mine cryptocurrency.

The malware marketing campaign targets Docker environments to deploy a malicious node related to Teneo, a decentralized infrastructure community. Teneo permits customers to earn rewards (Teneo Points) by working Neighborhood Nodes that scrape public knowledge from social platforms like Fb, X, Reddit, and TikTok. These factors will be transformed to $TENEO tokens. The malware covertly monetizes social media bandwidth by way of this mechanism.

The assault chain begins with a request to launch a container from Docker Hub, particularly the kazutod/tene:ten picture.

To investigate the malicious Docker picture kazutod/tene:ten, researchers used Docker instruments to tug and put it aside as a tar file for simpler inspection.

Upon extracting the tar, the consultants discovered the picture makes use of the OCI format, the place contents are organized in layers. Every layer is saved as a tar file with accompanying JSON metadata, somewhat than a conventional file system.

“The Docker picture makes use of the OCI format, which is slightly completely different to a daily file system. As an alternative of getting a static folder of information, the picture consists of layers. Certainly, when working the file command over the sha256 listing, every layer is proven as a tar file, together with a JSON metadata file.” reads the report printed by DarkTrace. “Because the detailed layers should not vital for evaluation, a single command can be utilized to extract all of them right into a single listing, recreating what the container file system would seem like:”

The researchers analyzed the ten.py script included within the malicious Docker picture and found that it’s closely obfuscated utilizing a number of layers of base64 encoding, zlib compression, and string reversal. The script decodes and executes a payload repeatedly, every time producing one other encoded string to decode, requiring 63 iterations earlier than the precise malicious code is revealed. The researchers identified that regardless of the advanced obfuscation course of, the decoding course of was simply automated, suggesting the hassle was seemingly meant to discourage informal evaluation somewhat than significantly hinder consultants.

The malicious script connects to teneo[.]professional, nonetheless, as a substitute of scraping, the malware sends pretend keep-alive pings to earn “Teneo Factors” primarily based on exercise ranges. This tactic permits evading frequent detection strategies for XMRig-based cryptojacking assaults. The attacker’s DockerHub profile suggests comparable abuse of decentralized compute networks. Nonetheless, as a result of closed nature of personal tokens like Teneo, it’s unclear how worthwhile this methodology is.

The attacker’s DockerHub profile reveals a sample of abuse, with their newest container working a Nexus community shopper to earn crypto by way of distributed zero-knowledge compute duties.

“Sometimes, conventional cryptojacking assaults depend on utilizing XMRig to immediately mine cryptocurrency, nonetheless as XMRig is extremely detected, attackers are shifting to different strategies of producing crypto. Whether or not that is extra worthwhile stays to be seen. There may be not at the moment a simple method to decide the earnings of the attackers as a result of extra “closed” nature of the non-public tokens.” concludes the report “Translating a consumer ID to a pockets tackle doesn’t look like doable, and there may be restricted public details about the tokens themselves. “