Full Report
A recent malware campaign targeting Docker showcases a novel form of cryptojacking that abuses legitimate Web3 services for profit while employing heavy layers of obfuscation to evade detection. By leveraging publicly hosted Docker images, the attackers deploy Python scripts t...
Analysis Summary
# Tool/Technique: Multi-Layered Cryptojacking via Docker Campaign
## Overview
This is a novel cryptojacking campaign targeting Docker environments. It utilizes publicly accessible Docker images to deploy highly multi-layered obfuscated Python scripts designed to evade detection. The primary goal is to abuse legitimate Web3 reward services (specifically the Teneo platform) by generating activity/heartbeat pings to covertly accumulate private crypto tokens instead of mining directly using traditional tools.
## Technical Details
- Type: Technique/Campaign (Cryptojacking)
- Platform: Docker, Linux environments hosting Docker
- Capabilities: Over 60 layers of progressive self-decoding, abuse of legitimate Web3 reward platforms via heartbeat pings.
- First Seen: Not explicitly dated, but detailed in an article published April 22, 2025.
## MITRE ATT&CK Mapping
- TA0014 - Impact
- T1496 - Resource Hijacking
- *Note: While the resource being hijacked is CPU/network for cryptojacking, the specific mechanism abuses a legitimate platform's reward structure.*
## Functionality
### Core Capabilities
- **Initial Access/Execution:** Leverages the initial execution context within a compromised or compromised-by-design Docker container initiated via the public image `kazutod/tene:ten`.
- **Payload Delivery:** Executes a primary Python script (`ten.py`) which acts as a loader/decoder.
- **Reward Earning:** Sends continuous, low-impact data/heartbeat pings to the `teneo[.]pro` domain to accumulate Teneo Points (private crypto tokens).
### Advanced Features
- **Heavy Obfuscation:** Employs recursive, multi-layered decoding: base64 encoding, reversal, and zlib compression applied sequentially over more than 60 iterations to hide the final payload. This complexity is designed specifically to frustrate forensic analysis and signature-based detection.
- **Web3 Service Abuse:** A stealthier alternative to traditional XMRig-based mining, abusing legitimate service economics for profit.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the text)
- File Names: `ten.py`
- Registry Keys: Applicable to Linux/Container environment, likely no persistent registry usage.
- Network Indicators: `teneo[.]pro` (Defanged: `teneo[.]pro`)
- Behavioral Indicators: Container startup leading to high CPU/network usage related to repetitive, structured API pings to the Teneo service; execution chain involving numerous successive decode/execute operations performed by a Python process.
## Associated Threat Actors
- Unknown (Campaign Actors ❓Unknown)
## Detection Methods
- Signature-based detection: Highly ineffective due to the 60+ layers of obfuscation requiring specific custom signatures for each layer or the final payload.
- Behavioral detection: Monitoring container creation and the subsequent creation of Python subprocesses performing high iteration decoding routines. Detecting sustained, structured heartbeat pinging traffic directed towards the reward platform domain.
- YARA rules: Could be developed for heuristic detection based on the unique sequence of decoding operations (e.g., base64 -> reverse -> zlib).
## Mitigation Strategies
- **Prevention measures:** Review and limit access to publicly accessible Docker images, especially those hosting unknown or untrusted code. Implement stronger container image scanning before allowing deployment.
- **Hardening recommendations:** Restrict outbound network access from containers where possible (Network segmentation/Micro-segmentation) to only known-good endpoints, isolating containers from potentially malicious Web3 endpoints.
## Related Tools/Techniques
- XMRig (Mentioned as a contrast; this campaign avoids traditional reliance on XMRig for visibility).
- Container Escape techniques (If the cryptomining process attempts to break out of the container sandbox).
- Standard Cryptomining techniques utilizing process injection or traditional CPU-intensive hashing.