The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.
“The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware,” Assaf Morag, director of threat intelligence at cloud security firm Aqua, said in a report published Friday.
The attack activity is once again a testament to the threat actor’s persistence and its ability to evolve its tactics and mounting multi-stage assaults with the goal of compromising Docker environments and enlisting them into a Docker Swarm.
Besides using Docker Hub to host and distribute their malicious payloads, TeamTNT has been observed offering the victims’ computational power to other parties for illicit cryptocurrency mining, thus diversifying its monetization strategy.
Rumblings of the attack campaign emerged earlier this month when Datadog disclosed malicious attempts to corral infected Docker instances into a Docker Swarm, alluding it could be the work of TeamTNT, while also stopping short of making a formal attribution. But the full extent of the operation hasn’t been clear, until now.
Morag told The Hacker News that Datadog “found the infrastructure in a very early stage” and that their discovery “forced the threat actor to change the campaign a bit.”
The attacks entail identifying unauthenticated and exposed Docker API endpoints using masscan and ZGrab and using them for cryptominer deployment and selling the compromised infrastructure to others on a mining rental platform called Mining Rig Rentals, effectively offloading the job of having to manage them themselves, a sign of the maturation of the illicit business model.
Specifically, this is carried out by means of an attack script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 across nearly 16.7 million IP addresses. It subsequently deploys a container running an Alpine Linux image with malicious commands.
The image, retrieved from a compromised Docker Hub account (“nmlm99”) under their control, also executes an initial shell script named the Docker Gatling Gun (“TDGGinit.sh”) to launch post-exploitation activities.
One notable change observed by Aqua is the shift away from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for remotely commandeering the infected servers.
“Additionally, TeamTNT continues to use their established naming conventions, such as Chimaera, TDGG, and bioset (for C2 operations), which reinforces the idea that this is a classic TeamTNT campaign,” Morag said.
“In this campaign TeamTNT is also using anondns (AnonDNS or Anonymous DNS is a concept or service designed to provide anonymity and privacy when resolving DNS queries), in order to point to their web server.”
The findings come as Trend Micro shed light on a new campaign that involved a targeted brute-force attack against an unnamed customer to deliver the Prometei crypto mining botnet.
“Prometei spreads in the system by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB),” the company said, highlighting the threat actor’s efforts on setting up persistence, evading security tools, and gaining deeper access to an organization’s network through credential dumping and lateral movement.
“The affected machines connect to a mining pool server which can be used to mine cryptocurrencies (Monero) on compromised machines without the victim’s knowledge.”