Out of all the services targeted by Darktrace, Docker has emerged as the most frequently attacked platform, showcasing an ongoing evolution in cyber threats with new malware strains appearing daily. This article will delve into a distinct malware attack featuring a unique obfuscation method and an advanced cryptojacking technique, highlighting the critical need for awareness and advanced defensive strategies.
1. What is Obfuscation?
Obfuscation is a well-known method used by cybercriminals to disguise the true nature of their malicious code, thereby complicating detection and analysis processes. This technique makes it challenging for security systems to recognize and neutralize threats. In this case, the campaign employs an intriguing method to obscure its payload effectively. By employing such tactics, the threat actors ensure that the malicious activity remains undetected for a longer duration, allowing them to accomplish their objectives with reduced risk of intervention.
The obfuscation technique in this campaign involves encoding the malicious code in such a way that it appears benign to most detection tools. Only when specific decoding processes are applied does the true nature of the code reveal itself. This additional layer of complexity frustrates attempts by security personnel to analyze and mitigate the threat. Understanding and overcoming this complexity is a crucial skill for cybersecurity professionals engaged in defending against sophisticated attacks.
2. Docker Image Inspection
The attack begins by making a request to launch a container from Docker Hub, specifically targeting the kazutod/tene:ten image. Docker Hub’s layer viewer allows analysts to quickly assess the container’s intended function, which in this case is designed to execute the ten.py script integrated within itself. This script appears harmless at first glance, but deeper analysis reveals its true malicious intent.
Using built-in Docker tooling enables analysts to download and save the image into a more workable format for thorough examination. Commands such as docker pull kazutod/tene:ten are employed to pull the image, while docker image save kazutod/tene:ten -o tene.tar facilitates saving the image for further dissection. By extracting the contents using tar -xf tene.tar -C target_directory, analysts can access the files in a regular format, making it easier to inspect and analyze the embedded malicious payload.
3. Initial Analysis Steps
To kickstart the analysis, the primary steps involve launching specific Docker commands to pull and save the image to a more analyzable format. Executing docker pull kazutod/tene:ten retrieves the necessary image from Docker Hub, and the command docker image save kazutod/tene:ten -o tene.tar converts the image into a tar file, simplifying further inspection.
Once the image is saved, it must be extracted using the command tar -xf tene.tar -C target_directory. This step transforms the image into a conventional file structure that cybersecurity analysts can navigate easily. These initial steps are vital for breaking down the obfuscation layers and understanding the underlying malicious code embedded within the Docker image.
4. Image Layers and File Structure
Docker images leverage the OCI format, which contrasts with regular file systems by consisting of multiple layers, each contributing to the overall functionality of the container. Within the sha256 directory, each layer is visible through JSON metadata files. To recreate the container file system, all layers must be extracted into a single directory using commands such as find blobs/sha256 -type f -exec sh -c 'file "{}" | grep -q "tar archive" && tar -xf "{}" -C root_dir' \;.
This step consolidates all layers into a unified file system structure, mirroring what the container would look like once deployed. Understanding this layered architecture is crucial for identifying how the malicious code operates within the container environment and for pinpointing the specific layers contributing to the attack.
5. Locating the Script
The next phase involves locating the critical ten.py script within the extracted files to understand its role in the malicious campaign. This task can be accomplished using the command find root_dir -name ten.py, which searches for and identifies the script within the directory structure.
The ten.py script is essential for comprehending the attack. It contains the obfuscated code that, when decoded, reveals the malicious instructions intended to exploit the Docker container. Identifying and analyzing this script is a pivotal step in unraveling the advanced obfuscation mechanisms employed by the cybercriminals.
6. Simplifying the Code
The ten.py script uses a lambda function to decode an obfuscated base64 string, decompress it using zlib, and then execute the decompressed code within Python. The initial complexity of the script masks its true function. Simplifying the code helps in understanding the underlying malicious behavior. The simplified version of the function looks like this:
def decode(input): reversed = input[::-1] decoded = base64.decode(reversed) decompressed = zlib.decompress(decoded) return decompresseddecoded_string = decode(the_big_text_blob)exec(decoded_string)This function effectively decodes the encoded string, decompresses it, and then executes the resulting Python code. By simplifying the script, analysts can better grasp the decoding process and anticipate the subsequent stages of the malware’s operation. This initial simplification is crucial for creating a clearer view of the obfuscated code’s structure and functionality.
7. Decoding with Cyberchef
To further decode and simplify the ten.py script, Cyberchef—a versatile online tool for data manipulation—is employed. This tool processes the script’s multiple layers of obfuscation sequentially. Each layer decoded reveals the next layer of the script, which must be further decoded, continuing this process until the true payload is revealed.
Cyberchef streamlines the decoding process, making it easier to handle the recursive obfuscation embedded within the script. By taking a systematic approach, analysts decode each layer efficiently, peeling away the obfuscation to understand the actual malicious code. Utilizing such tools is instrumental in dissecting sophisticated malware with multiple obfuscation layers.
8. Automating the Decoding Process
Rather than manually copying and pasting each decoded layer, an automated script can streamline the process, enhancing efficiency and accuracy. The following script automates the decoding steps:
decoded = decode(initial)clamped = decoded[11:-3]for i in range(1, 100): decoded = decode(clamped) print(f"Step {i}") print(decoded) clamped = decoded[11:-3]This script applies the decode function iteratively, stripping away the obfuscation layers systematically. Automating the decoding process not only saves time but also reduces the potential for human error. This approach allows analysts to focus on understanding the decoded payload rather than getting bogged down in repetitive manual tasks.
9. Malicious Intent Discoveries
After 63 iterations of decoding, significant code emerged from the recursive obfuscation, revealing the script’s intent. The malicious code establishes a connection to teneo[.]pro, a website associated with a Web3 startup. By exploiting the platform’s features, the attackers manipulate the website’s functionalities to harvest “Teneo Points” without performing the actual web scraping it was meant for.
This discovery highlights a novel method of cryptojacking, where traditional methods have been replaced with more sophisticated, less detectable operations. By leveraging legitimate platforms in unintended ways, cybercriminals achieve their objectives while evading detection. This shift in tactic underscores the evolving nature of cryptojacking and the need for adaptive security measures.
10. Prevention and Caution
Traditional cryptojacking techniques typically rely on tools like XMRig to mine cryptocurrency directly. However, due to their high detection rates, attackers are now adopting new methods, such as the one described in this case study. This incident showcases the growing complexity and ingenuity in cyber-attacks, emphasizing the importance of robust security practices.
To protect Docker services, it is crucial to implement strong security measures. Docker should never be exposed to the internet unless absolutely necessary. When exposure is unavoidable, strict authentication and firewall rules must be enforced to limit access to authorized users only. These precautions are essential to mitigate the risk of unauthorized access and exploitation, ensuring a secure operational environment for Docker services.
Essential Takeaways
Out of all the services targeted by Darktrace, Docker has become the most frequently attacked platform, highlighting a significant trend in the evolving landscape of cyber threats. With new strains of malware emerging on a daily basis, this underscores an ever-present danger to digital infrastructures. This article will explore a particular malware attack that utilizes a unique obfuscation method. This obfuscation is not only sophisticated but also challenging to detect, even for advanced security systems. Moreover, the attack employs an advanced cryptojacking technique, which secretly uses the infected system’s resources for cryptocurrency mining without the user’s knowledge. This kind of stealthy operation often goes unnoticed for extended periods, leading to potentially significant financial losses and degraded system performance. The critical nature of this threat calls for heightened awareness and the implementation of advanced defensive strategies. Cybersecurity measures must evolve to counter these sophisticated threats effectively, ensuring that platforms like Docker remain secure against persistent and innovative attacks.
