The infamous group of cryptojackers known as Team TNT appears to be gearing up for a new large-scale campaign targeting cloud environments for cryptocurrency mining and leasing hacked servers to third parties.
“The group is currently targeting exposed Docker daemons to deploy Sliver malware, cyberworms and cryptominers, using compromised servers and Docker Hub as infrastructure to spread their malware,” said Assaf Morag, director of threat intelligence at Aqua cloud security. said in a report released Friday.
The attack is again a testament to the persistence of the threat actor and their ability to evolve their tactics and mount multi-stage attacks to disrupt Docker environments and involve them in the Docker Swarm.
In addition to using Docker Hub to host and distribute its malicious payload, TeamTNT has been seen offering sacrificial computing power to other parties for illegal cryptocurrency mining, diversifying its monetization strategy.
Rumors about the attack campaign appeared earlier this month when Datadog opened malicious attempts to assemble infected Docker instances into Docker Swarm, implying that it might be the work of TeamTNT, while making no formal attribution. But the full scope of the operation was not clear until now.
Morag told The Hacker News that Datadog “found the infrastructure at a very early stage” and that their discovery “forced the threat actor to change the company a bit.”
The attacks involve identifying unauthenticated and exposed Docker API endpoints using Masscan and ZGrab and using them to deploy a cryptominer and sell the compromised infrastructure to others on a mining rental platform called Mining Rig Rentals, effectively removing the task of managing them yourself, a sign of maturity illegal business model.
Specifically, this is accomplished with an attack script that searches Docker daemons on ports 2375, 2376, 4243, and 4244 for nearly 16.7 million IP addresses. It then deploys a container running an Alpine Linux image with malicious commands.
The image obtained from a compromised Docker Hub account (“nmlm99”) under their control also executes an initial shell script called Docker Gatling Gun (“TDGGinit.sh”) to trigger post-exploit actions.
One notable change that Aqua is seeing is the move from backdoor Tsunami to open source A scrap command and control structure (C2) for remote management of infected servers.
“Also, TeamTNT continues to use their established naming conventions such as Chimaera, TDGG and bioset (for C2 operations), which reinforces the idea that this is a classic TeamTNT campaign,” Morag said.
“In this campaign, TeamTNT also uses anondns (AnonDNS or Anonymous DNS is a concept or service designed to provide anonymity and privacy when resolving DNS queries) to point to their web server.”
The findings come as Trend Micro shed light on a new campaign that involved a targeted brute force attack on an unnamed customer to secure Prometheus crypto mining botnet.
“Prometei spreads on the system by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB),” the company saidhighlighting the threat actor’s efforts to build resilience, evade security tools, and gain deeper access to an organization’s network through credential reset and lateral movement.
“The affected machines connect to a mining pool server that can be used to mine cryptocurrency (Monero) on the compromised machines without the victim’s knowledge.”
