Cybersecurity researchers have detailed a malware marketing campaign that is concentrating on Docker environments with a beforehand undocumented method to mine cryptocurrency.
The exercise cluster, per Darktrace and Cado Safety, represents a shift from different cryptojacking campaigns that straight deploy miners like XMRig to illicitly revenue off the compute assets.
This entails deploying a malware pressure that connects to a nascent Web3 service referred to as Teneo, a decentralized bodily infrastructure community (DePIN) that permits customers to monetize public social media information by operating a Neighborhood Node in change for rewards referred to as Teneo Factors, which might be transformed into $TENEO Tokens.
The node basically features as a distributed social media scraper to extract posts from Fb, X, Reddit, and TikTok.
An evaluation of artifacts gathered from Darktrace’s honeypots has revealed that the assault begins with a request to launch a container picture “kazutod/tene:ten” from the Docker Hub registry. The picture was uploaded two months in the past and has been downloaded 325 occasions up to now.
The container picture is designed to run an embedded Python script that is closely obfuscated and requires 63 iterations to unpack the precise code, which units up a connection to teneo[.]professional.
“The malware script merely connects to the WebSocket and sends keep-alive pings to be able to achieve extra factors from Teneo and doesn’t do any precise scraping,” Darktrace mentioned in a report shared with The Hacker Information. “Based mostly on the web site, many of the rewards are gated behind the variety of heartbeats carried out, which is probably going why this works.”
The marketing campaign is paying homage to one other malicious risk exercise cluster that is identified to contaminate misconfigured Docker situations with the 9Hits Viewer software program to be able to generate visitors to sure websites in change for acquiring credit.
The intrusion set can also be much like different bandwidth-sharing schemes like proxyjacking that contain downloading a particular software program to share unused web assets for some form of monetary incentive.
“Usually, conventional cryptojacking assaults depend on utilizing XMRig to straight mine cryptocurrency, nonetheless as XMRig is very detected, attackers are shifting to various strategies of producing crypto,” Darktrace mentioned. “Whether or not that is extra worthwhile stays to be seen.”
The disclosure comes as Fortinet FortiGuard Labs revealed a brand new botnet dubbed RustoBot that is propagating by means of safety flaws in TOTOLINK (CVE-2022-26210 and CVE-2022-26187) and DrayTek (CVE-2024-12987) units with an intention to conduct DDoS assaults. The exploitation efforts have been discovered to primarily goal the know-how sector in Japan, Taiwan, Vietnam, and Mexico.
“IoT and community units are sometimes poorly defended endpoints, making them engaging targets for attackers to take advantage of and ship malicious applications,” safety researcher Vincent Li mentioned. “Strengthening endpoint monitoring and authentication can considerably scale back the chance of exploitation and assist mitigate malware campaigns.”
Replace
The container picture is not accessible for obtain from Docker Hub. The account continues to stay energetic.
