The hacker group known as TeamTNT appears to be preparing for a new large-scale campaign targeting cloud-native environments used for mining cryptocurrencies and renting already compromised servers to their clients.

“The group is currently targeting exposed Dockers to deploy the Sliver malware, a cyber worm, using compromised servers and Docker Hub as infrastructure to spread their malware,” said Assaf Morag, director of threat intelligence at cloud security firm Aqua, in a report published on Friday.

The attack activity is once again a testament to the threat actor’s persistence and ability to evolve its tactics and mount multi-stage attacks with the goal of compromising Docker environments and preparing them to be a Docker swarm.

In addition to using Docker Hub to host and distribute its malicious payloads, TeamTNT has been observed offering victims’ computing power to its clients for illicit cryptocurrency mining, thereby diversifying its monetization strategy.

Rumors about the attack campaign surfaced earlier this month when Datadog revealed malicious attempts to corral infected Docker instances into a Docker swarm, alluding that it could be the work of TeamTNT, though stopping short of making formal attribution.
The attacks involve identifying unauthenticated and exposed Docker API endpoints using masscan and ZGrab and using them for cryptomining deployment and selling the compromised infrastructure to others on a mining rental platform called Mining Rig Rentals, removing the work of having to manage them themselves – a sign of the illicit business model maturing.

Specifically, this is carried out via an attack script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 on nearly 16.7 million IP addresses. It then deploys a container running an Alpine Linux image with malicious commands.

The image, retrieved from a compromised Docker Hub account (“nmlm99”) under its control, also runs an initial shell script called Docker Gatling Gun (“TDGGinit.sh”) to launch post-exploitation activities.

One notable change observed by Aqua is the move from the Tsunami backdoor to the open-source command and control (C2) framework Sliver to remotely control infected servers.

Author:
Ramon Antonio Vicente Espinal.