In a recently uncovered malware campaign targeting Docker environments, attackers are using a novel approach to mine cryptocurrency. Cybersecurity research teams at both Darktrace and Fortinet recently detected an ever-evolving campaign. It abuses the Teneo Web3 node with fraudulent heartbeat pings.

The malicious Docker image, which was uploaded about two months ago, has been downloaded 325 times as of this writing. This picture is actually a very elaborate and very well hidden python script to execute. It takes 63 tries to crack the actual code. Once unpacked, the code then opens a connection to teneo.pro.

Campaign Details

The predatory practices have zeroed in particularly on the tech sector. Japan, Taiwan, Vietnam and Mexico are the biggest hits. The malware campaign is reminiscent of bandwidth-sharing scams such as proxyjacking. It entices users to download the application by promising financial rewards in exchange for the use of their excess bandwidth.

"The malware script simply connects to the WebSocket and sends keep-alive pings in order to gain more points from Teneo and does not do any actual scraping," - Darktrace

This approach was the only way for the attackers to build up points from Teneo without going through the hours of work to scrape a website.

Technical Analysis

The heart of this campaign was a really really well programmed python script. This degree of obfuscation, taking 63 layers to unpack, means they were trying very hard to avoid getting caught. Once active, the script’s main purpose is a constant open connection to teneo.pro, sending regular “keep-alive” pings.

In their recent paper, researchers at cybersecurity startup Darktrace observed an unusual phenomenon. While most cryptojacking campaigns rely on XMRig, this campaign uses a different method to generate cryptocurrency. This change indicates that attackers are migrating away from conventional cryptojacking tools due to their rising detection rates.

Security Implications

"IoT and network devices are often poorly defended endpoints, making them attractive targets for attackers to exploit and deliver malicious programs," - Vincent Li

Vincent Li’s quote brings to light the bigger risk picture, where these vulnerable devices are increasingly used as attack vectors in the threat landscape. The recent exploitation of Docker environments is a reminder of the importance of deploying strong security measures to safeguard against these types of attacks.