Full Report
Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security, represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain
Analysis Summary
# Incident Report: Docker Cryptojacking via Teneo Node Exploitation
## Executive Summary
A novel malware campaign was discovered targeting Docker environments by leveraging a vulnerability or misconfiguration to deploy a containerized script. Instead of traditional cryptocurrency mining (like XMRig), the malware connects to the nascent Web3 service Teneo, sending fake "heartbeat" signals to fraudulently earn Teneo Points, which are convertible to $TENEO Tokens. The impact primarily involves resource misuse for illicit crypto gain, facilitated by heavy code obfuscation.
## Incident Details
- **Discovery Date:** April 22, 2025 (Date of reported disclosure)
- **Incident Date:** Activity likely began shortly after the malicious Docker image was uploaded/utilized (Image uploaded two months prior to disclosure).
- **Affected Organization:** Undisclosed organizations running vulnerable Docker instances. This appears to be a widespread campaign targeting environments capable of running Docker.
- **Sector:** Technology/Cloud/Any organization using Docker infrastructure.
- **Geography:** Targeting efforts observed primarily in Japan, Taiwan, Vietnam, and Mexico (based on similar contemporaneous activity mentioned, though specifics for this campaign are generalized).
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified beyond "two months ago" for image upload leading up to disclosure.
- **Vector:** Deployment of a malicious Docker container image.
- **Details:** Attackers utilized or tricked victims into pulling and running the Docker Hub image `kazutod/tene:ten`.
### Lateral Movement
- No explicit lateral movement details were provided; the focus was on compromise within the containerized environment itself.
### Data Exfiltration/Impact
- **Data Exfiltration:** None reported.
- **Impact:** Resource utilization (compute cycles) to generate artificial rewards (Teneo Points/Tokens) for the attacker via fake social media scraping activity.
### Detection & Response
- **Detection:** Analysis of artifacts gathered from the attacker's honeypots by researchers at Darktrace and Cado Security.
- **Response Actions:** Not explicitly detailed for the victims, but the disclosure serves as an awareness measure.
## Attack Methodology
- **Initial Access:** Launching the container image `kazutod/tene:ten` from Docker Hub.
- **Persistence:** The embedded Python script establishes a WebSocket connection to `teneo[.]pro`.
- **Privilege Escalation:** Not explicitly detailed, but implies access to a runnable Docker daemon/host environment.
- **Defense Evasion:** The embedded Python script is heavily obfuscated, requiring 63 iterations to unpack the actual malicious code.
- **Credential Access:** Not applicable/Not mentioned.
- **Discovery:** Not applicable/Not mentioned in the context of network reconnaissance.
- **Lateral Movement:** Not mentioned.
- **Collection:** The malware sends "keep-alive pings" (fake heartbeats) associated with scraping social media data (Facebook, X, Reddit, TikTok) without actually scraping.
- **Exfiltration:** The "result" is the illicit acquisition of Teneo Points/TENEO Tokens, not traditional data exfiltration.
- **Impact:** Cryptojacking via novel point-farming mechanism, resource exhaustion.
## Impact Assessment
- **Financial:** Attacker profits via the token scheme; victim incurs compute resource costs and potential downtime/service degradation.
- **Data Breach:** No sensitive data breach reported.
- **Operational:** Resource consumption due to continuous container execution and obfuscated processes.
- **Reputational:** Potential reputational damage for victims if their infrastructure is found hosting crypto-mining activity.
## Indicators of Compromise
- **Network Indicators (Defanged):** Connection to `teneo[.]pro` via WebSocket protocol for sending heartbeat signals.
- **File Indicators:** Malicious Docker Image: `kazutod/tene:ten`.
- **Behavioral Indicators:** Processes originating from Docker containers exhibiting high CPU usage sustained connections to a specific Web3 service endpoint designed to accrue rewards via dummy activity.
## Response Actions
- **Containment:** (Implied) Removal or isolation of the compromised Docker container running the malicious image.
- **Eradication:** Deletion of the malicious image and associated scripts from the environment.
- **Recovery:** Restoring affected system performance metrics and scanning for previous vulnerabilities that allowed initial container deployment.
## Lessons Learned
- Attackers are evolving cryptojacking tactics to bypass traditional signatures (like XMRig detection) by exploiting reward mechanisms in newer Web3/DePIN projects.
- Heavily obfuscated, multi-layered scripting (63 iterations needed to unpack) poses a significant hurdle for automated detection tools.
- Misconfigured or vulnerable Docker environments remain a significant initial access vector.
## Recommendations
- Implement strict image scanning and runtime monitoring for all containers deployed, specifically targeting complex obfuscation techniques.
- Limit the accessible scope of Docker daemon access/API to prevent unauthorized image pulls or execution.
- Monitor outbound network traffic from containers for connections to suspicious or newly established Web3 infrastructure endpoints not related to core business functions.
- Organizations should review known dependencies within their supply chain (like Docker Hub images) for signs of malicious behavior mimicking legitimate services.