Ethical Hacking News
New malware has been discovered targeting Docker environments with an innovative method of secretly mining cryptocurrency, employing layers within a malicious image to evade detection. Despite complex obfuscation and attempts to shift towards alternative methods of generating crypto, the true profitability of this method remains uncertain.
Researchers discovered a sophisticated malware campaign targeting Docker environments to secretly mine cryptocurrency. The malware uses OCI format to organize its contents into layers, evading standard detection methods. A single command can extract all the layers of the malicious image, recreating the container file system as it would appear to an attacker. The script is heavily obfuscated using multiple layers of base64 encoding and zlib compression. Automated decoding suggests the obfuscation was intended to deter casual analysis, not experts. The attackers used a compromised xrpl.js Ripple cryptocurrency library to mine cryptocurrency. The method allows evasion of common detection techniques used for XMRig-based cryptojacking attacks. Experts emphasize the need for continuous vigilance in Docker environment security due to the novel evasion technique.
Researchers from Darktrace and Cado Security have recently discovered a sophisticated malware campaign that specifically targets Docker environments, employing an innovative method to secretly mine cryptocurrency. The malicious code in question makes use of the OCI (Open Container Initiative) format to organize its contents into layers, rather than relying on traditional file systems.
This approach allows the malware to evade standard detection methods and remain stealthy, even for experts with extensive experience in analyzing Docker environments. In fact, the researchers found that a single command can be used to extract all the layers of the malicious image into a single directory, recreating the container file system as it would appear to an attacker.
The researchers analyzed the ten.py script included within the malicious Docker image and discovered that it is heavily obfuscated using multiple layers of base64 encoding, zlib compression, and string reversal. The script decodes and executes a payload repeatedly, generating another encoded string each time it does so, requiring 63 iterations before the actual malicious code is revealed.
The researchers pointed out that despite the complex obfuscation process, the decoding process was easily automated, suggesting that the effort was likely meant to deter casual analysis rather than seriously hinder experts. Furthermore, they noted that the attackers made use of a compromised xrpl.js Ripple cryptocurrency library in order to mine cryptocurrency, which is now claimed to have been targeted in a supply chain attack.
The malicious script connects to teneo[.]pro instead of scraping data from social media platforms, and instead sends fake keep-alive pings to earn “Teneo Points” based on activity levels. This tactic allows the attackers to evade common detection techniques used for XMRig-based cryptojacking attacks. However, due to the closed nature of private tokens like Teneo, it remains unclear how profitable this method is.
The attackers' DockerHub profile suggests a pattern of abuse, with their latest container running a Nexus network client to earn cryptocurrency via distributed zero-knowledge compute tasks. Traditionally, cryptojacking attacks rely on using XMRig to directly mine cryptocurrency; however, as XMRig is highly detected, attackers are shifting to alternative methods of generating crypto.
It is currently unclear whether this method is more profitable than traditional approaches, as there is limited public information about the tokens themselves and translating a user ID to a wallet address does not appear to be possible. In any case, experts from Darktrace emphasize that the novel evasion technique employed by the attackers highlights the ongoing need for continuous vigilance in Docker environment security.
Related Information:
https://www.ethicalhackingnews.com/articles/Crypto-Mining-Campaign-Targets-Docker-Environments-with-Novel-Evasion-Technique-ehn.shtml
https://securityaffairs.com/176877/malware/crypto-mining-campaign-targets-docker-environments-with-new-evasion-technique.html
Published: Wed Apr 23 14:25:07 2025 by llama3.2 3B Q4_K_M
