New Cryptojacking Malware Targets Docker with Novel Mining Technique

Posted on by

A new cryptojacking malware campaign is targeting Docker environments using a novel mining technique, according to researchers from Darktrace and Cado Security Labs.

The campaign demonstrates a trend of attackers shifting to alternative methods of generating cryptocurrency, including the abuse of legitimate tools to obtain crypto rewards.

The malware attempts to connect to a legitimate crypto website, a Web3 startup firm called teneo.pro.

This service allows users to join a decentralized network and gain private crypto tokens in exchange for running a node, which scrapes their distributed social media data.

In the new campaign, the malware script simply connects to the websocket and sends ‘keep alive’ pings to gain more points from teneo but doesn’t do any actual scraping. These ‘teneo points’ translate into private crypto tokens.

The attacker appears to have previously used similar techniques to mine cryptocurrency. The researchers’ revealed that the most recent container in the attacker’s Docker Hub profile runs an instance of the Nexus Network client, which is a project to perform distributed zero-knowledge compute tasks in exchange for cryptocurrency.

“Typically, traditional cryptojacking attacks rely on using XMRig to directly mine cryptocurrency, however as XMRig is highly detected, we now see attackers shifting to alternative methods of generating crypto,” the researchers explained.

Darktrace and Cado added that they are not currently able to determine the level of earnings the attacker was able to generate using this technique, due to the “closed” nature of the private tokens.

Multiple Layers of Obfuscation

The attackers attempt to deploy the malware starts with a request to launch a container from Docker Hub. This container is designed to run the ten.py script which is built into itself.

The script deploys a series of processes, which results in running a decoded Python payload.

This payload is heavily obfuscated, which the researchers were able to reverse engineer by repeatedly running the decode function used earlier in the payload launch and using string manipulation.

They explained that the multiple layers of obfuscation are likely designed to help bypass signature analysis and attempt to prevent analysts and other hackers from decoding the malware.

“Obfuscation remains an ubiquitous technique employed by the majority of malware to aid in detection/defense evasion, and being able to deobfuscate code is an important skill for analysts to possess,” the researchers wrote.

Protecting Against Docker-Based Attacks

The researchers emphasized that Docker is a highly targeted service and urged firms to take action to improve its security.

Docker is a software platform that allows users to build, test and deploy applications quickly.

The software is delivered into standardized units called containers, which contain everything the software needs to run including libraries, system tools, code and runtime.

However, this service has previously been leveraged as a vehicle to deploy malware.

The researchers said that system administrators should never have Docker exposed to the wider internet unless absolutely necessary.

Additionally, authentication and firewalling should be employed to ensure only authorized users are able to access the service.

“Attacks happen every minute, and even leaving the service open for a short period of time may result in a serious compromise,” they noted.