Cybersecurity researchers detail malware campaigns targeting Docker environments with previously undocumented techniques for mining cryptocurrency.
Darktrace Per and Cado Security Activity Clusters represent a transition from other crypto jacking campaigns that directly deploy miners like Xmrig to illegally benefit their computing resources.
This includes deploying malware distortions that connect to an early Web3 service called Teneo. Teneo is a decentralized physical infrastructure network (DEPIN) that allows users to monetize public social media data by running community nodes in exchange for rewards called Teneo Points.
The node basically acts as a distributed social media scraper that extracts posts from Facebook, X, Reddit, and Tiktok.
Analysis of artifacts collected from honeypots revealed that the attack begins with a request to launch a container image “Kazutod/Tene:10” from the Docker Hub registry. The image was uploaded two months ago and has been downloaded 325 times so far.
The container image is designed to run embedded Python scripts that are heavily obfuscated.[.]professional.
“Malware scripts simply connect to WebSockets, send Keep-Alive Pings to earn more points from Teneo, and do not do any real scraping,” Darktrace said in a report shared with Hacker News. “Based on the website, this could work because most rewards are behind the number of heartbeats performed.”
This campaign is reminiscent of another malicious threat activity cluster known to infect misconfigured Docker instances with 9Hits Viewer software to generate traffic to a particular site in exchange for obtaining credits.
Intrusion sets are similar to other bandwidth sharing schemes, such as proxy jacks, which involve downloading certain software and sharing unused internet resources for some financial incentive.
“Traditional cryptojacking attacks usually rely on using Xmrig to directly mining cryptocurrencies, but because Xmrig is highly detected, attackers are moving towards alternative ways to generate crypto,” Darktrace said. “We still don’t see if this is more profitable.”
This disclosure occurs when they uncover a new botnet called a new botnet that is propagating through security flaws in Totolink (CVE-2022-26210 and CVE-2022-26187) and Draytek (CVE-2024-12987) with DDOS attacks. Exploitation efforts are known to target primarily the technology sectors of Japan, Taiwan, Vietnam and Mexico.
“IoT and network devices are often unprotected endpoints and are attractive targets for attackers to leverage and deliver malicious programs,” said security researcher Vincent Li. “Enhanced endpoint monitoring and authentication will significantly reduce the risk of exploitation and help mitigate malware campaigns.”
Source link
