Full Report
Darktrace and Cado said the new campaign highlights a shift towards alternative methods of mining cryptocurrencies
Analysis Summary
# Tool/Technique: Novel Cryptojacking Technique Targeting Docker
## Overview
A new cryptojacking malware campaign is targeting Docker environments. Instead of relying on heavily detected traditional methods like XMRig, this campaign utilizes a novel approach involving abuse of legitimate services (teneo.pro and Nexus Network client) to generate cryptocurrency rewards (teneo points/private crypto tokens).
## Technical Details
- Type: Malware Campaign / Technique (Cryptojacking)
- Platform: Docker Environments (Containers/Host)
- Capabilities: Gaining cryptocurrency rewards by pinging a legitimate service websocket without performing the intended computational tasks (scraping or ZK-compute).
- First Seen: April 2025 (based on article date)
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred based on the activity described (initial access/execution not detailed, focus on persistence/resource abuse).*
- **TA0016 - Resource Development** (Inferred if attacker is deploying infrastructure)
- T1595 - Active Scanning
- **TA0004 - Privilege Escalation** (Inferred if container escape or host access is achieved)
- **TA0005 - Defense Evasion**
- T1078 - Valid Accounts (Abuse of legitimate service mechanisms)
- **TA0011 - Command and Control** (Inferred for initial setup)
- T1105 - Ingress Tool Transfer (If the malware package is downloaded)
- **TA0009 - Collection** (Resource abuse is the collection goal)
- T1496 - Resource Hijacking
- T1496.003 - Cloud Instance (Relevant to Docker/Container host systems)
## Functionality
### Core Capabilities
- Exploitation of Docker environments.
- Connection to the `teneo.pro` websocket to send 'keep alive' pings.
- Gaining 'teneo points' which convert to private crypto tokens without contributing computational work (scraping).
### Advanced Features
- *Stealth/Evasion:* Bypassing traditional cryptojacking detection by avoiding high CPU usage signatures associated with tools like XMRig.
- Utilizing legitimate decentralized network participation mechanisms (teneo.pro and Nexus Network client) for clandestine mining/reward acquisition.
- Deployment of Nexus Network client containers for distributed zero-knowledge compute tasks in exchange for cryptocurrency.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: Nexus Network client processes/containers.
- Registry Keys: [Not specified in the provided text]
- Network Indicators:
- Connection to `teneo.pro` websocket endpoints.
- Behavioral Indicators:
- Unnecessary 'keep alive' pings to specific target services for illegitimate reward accumulation.
- Execution of cryptocurrency client software (like Nexus Network client) within Docker containers instead of standard mining utilities.
## Associated Threat Actors
- Not explicitly named, but implied to be sophisticated cryptojacking adversaries seeking to evade XMRig detection.
## Detection Methods
- Signature-based detection: Ineffective against the novel approach (avoidance of XMRig).
- Behavioral detection: Focus on detecting unusual network traffic patterns associated with web socket interactions on containerized systems that do not align with expected application functions or legitimate resource contributions. Monitoring for known Nexus Network client execution within unexpected contexts.
- YARA rules: [Not specified in the provided text]
## Mitigation Strategies
- **Image Security:** Ensure Docker images are free of known cryptocurrency mining code or unrelated services.
- **Resource Limits:** Apply strict CPU and memory limits on Docker containers to restrict the impact of potential cryptojacking activity, even if the method changes.
- **Network Segmentation/Monitoring:** Monitor outbound network connections from containers, specifically looking for connections to known or suspicious crypto service endpoints, or unexpected websocket interactions.
- **Least Privilege:** Ensure containers run with the lowest necessary privileges to limit lateral movement or damage.
## Related Tools/Techniques
- Traditional Cryptojacking using XMRig.
- Abuse of computational/distributed ledger projects for financial gain.