Ethical Hacking News
Recently, a new type of malware has been identified that leverages web3 technology to mine cryptocurrency by exploiting Docker environments. The attack exploits a previously undocumented technique using Teneo Web3 Node to earn crypto via fake heartbeat signals. Understanding this attack is crucial in staying ahead of the evolving threat landscape.
The threat landscape has witnessed the emergence of new types of malware that leverage web3 technology to mine cryptocurrency, targeting Docker environments using an undocumented technique. The malware connects to Teneo, a decentralized physical infrastructure network, and extracts public social media data in exchange for rewards called Teneo Points. This malware represents a shift in cryptojacking campaigns that typically rely on deploying miners like XMRig to illicitly profit off compute resources. The attack mechanism involves requesting users to launch a container image that runs an obfuscated Python script, which connects to Teneo and sends keep-alive pings to gain more points. This attack is reminiscent of other malicious threat activity clusters that infect misconfigured Docker instances with software to generate traffic for financial incentives. Attackers are shifting towards alternative methods of generating cryptocurrency, as traditional cryptojacking attacks relying on XMRig are highly detected by security systems. A recent botnet dubbed RustoBot is propagating through security flaws in IoT and network devices to conduct DDoS attacks, highlighting the need for endpoint monitoring and authentication.
The threat landscape of the cybersecurity world has witnessed numerous developments and evolutions over the years. In recent times, a new type of malware that leverages web3 technology to mine cryptocurrency has been identified. The attack targets Docker environments using a previously undocumented technique, which differs from other cryptojacking campaigns that directly deploy miners like XMRig.
The malware in question connects to a nascent web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points. These points can be converted into $TENEO Tokens. The node functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok.
According to Darktrace and Cado Security, the activity cluster represents a shift in cryptojacking campaigns that typically rely on deploying miners like XMRig to illicitly profit off compute resources. In contrast, this malware exploits a Docker environment by requesting users to launch a container image "kazutod/tene:ten" from the Docker Hub registry.
The container image is designed to run an embedded Python script that's heavily obfuscated and requires 63 iterations to unpack the actual code, which sets up a connection to teneo[.]pro. Darktrace reported that the malware script simply connects to the WebSocket and sends keep-alive pings in order to gain more points from Teneo and does not perform any actual scraping.
This attack mechanism is reminiscent of other malicious threat activity clusters known to infect misconfigured Docker instances with the 9Hits Viewer software to generate traffic for certain sites in exchange for credits. The intrusion set also bears similarities with other bandwidth-sharing schemes such as proxyjacking that involve downloading specific software to share unused internet resources for financial incentives.
In an interview, Darktrace stated that traditional cryptojacking attacks rely on using XMRig to directly mine cryptocurrency; however, since XMRig is highly detected by security systems, attackers are shifting towards alternative methods of generating cryptocurrency. The profit generated from this new method remains unknown at present.
Meanwhile, a recent botnet dubbed RustoBot has been identified by Fortinet FortiGuard Labs as propagating through security flaws in TOTOLINK (CVE-2022-26210 and CVE-2022-26187) and DrayTek (CVE-2024-12987) devices to conduct DDoS attacks. These exploitation efforts primarily target the technology sector in Japan, Taiwan, Vietnam, and Mexico.
According to security researcher Vincent Li, IoT and network devices are often poorly defended endpoints making them attractive targets for attackers to exploit and deliver malicious programs. Strengthening endpoint monitoring and authentication can significantly reduce the risk of exploitation and help mitigate malware campaigns.
This latest development serves as a reminder of the evolving nature of cybersecurity threats and the need for continuous vigilance and proactive measures to safeguard against emerging risks.
Related Information:
https://www.ethicalhackingnews.com/articles/Docker-Malware-Exploits-Teneo-Web3-Node-to-Earn-Crypto-via-Fake-Heartbeat-Signals-A-Comprehensive-Analysis-ehn.shtml
https://thehackernews.com/2025/04/docker-malware-exploits-teneo-web3-node.html
Published: Tue Apr 22 13:05:39 2025 by llama3.2 3B Q4_K_M
