Article Details

Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals. Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security, represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain that connects to a nascent Web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points, which can be converted into $TENEO Tokens. The node essentially functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok. An analysis of artifacts gathered from its honeypots has revealed that the attack starts with a request to launch a container image "kazutod/tene:ten" from the Docker Hub registry. The image was uploaded two months ago and has been downloaded 325 times to date. The container image is designed to run an embedded Python script that's heavily obfuscated and requires 63 iterations to unpack the actual code, which sets up a connection to teneo[.]pro. "The malware script simply connects to the WebSocket and sends keep-alive pings in order to gain more points from Teneo and does not do any actual scraping," Darktrace said in a report shared with The Hacker News. "Based on the website, most of the rewards are gated behind the number of heartbeats performed, which is likely why this works." The campaign is reminiscent of another malicious threat activity cluster that's known to infect misconfigured Docker instances with the 9Hits Viewer software in order to generate traffic to certain sites in exchange for obtaining credits. The intrusion set is also similar to other bandwidth-sharing schemes like proxyjacking that involve downloading a specific software to share unused internet resources for some sort of financial incentive. "Typically, traditional cryptojacking attacks rely on using XMRig to directly mine cryptocurrency, however as XMRig is highly detected, attackers are shifting to alternative methods of generating crypto," Darktrace said. "Whether this is more profitable remains to be seen." The disclosure comes as Fortinet FortiGuard Labs revealed a new botnet dubbed RustoBot that's propagating through security flaws in TOTOLINK (CVE-2022-26210 and CVE-2022-26187) and DrayTek (CVE-2024-12987) devices with an aim to conduct DDoS attacks. The exploitation efforts have been found to primarily target the technology sector in Japan, Taiwan, Vietnam, and Mexico. "IoT and network devices are often poorly defended endpoints, making them attractive targets for attackers to exploit and deliver malicious programs," security researcher Vincent Li said. "Strengthening endpoint monitoring and authentication can significantly reduce the risk of exploitation and help mitigate malware campaigns."