The notorious cryptojacking group known as TeamTNT seems to be gearing up for a significant new operation aimed at cloud-native environments for the purpose of mining cryptocurrencies and leasing compromised servers to third parties.
“The group is actively targeting exposed Docker daemons to distribute Sliver malware, a type of cyber worm, and cryptominers, utilizing illicitly accessed servers and Docker Hub as their platform for malware dissemination,” mentioned Assaf Morag, the director of threat intelligence at the cloud security firm Aqua, in a report released on Friday.
This latest wave of attacks exemplifies the threat actor’s persistence and adaptability, as they create complex, multi-stage assaults with the intention of breaching Docker environments and integrating them into a Docker Swarm.
In addition to leveraging Docker Hub for hosting and disseminating their malicious content, TeamTNT has been found offering the computing power of their victims to other groups for illicit cryptocurrency mining, thus varying their revenue strategies.
Reports about the attack campaign surfaced earlier this month when Datadog revealed efforts to consolidate infected Docker instances into a Docker Swarm, hinting at the involvement of TeamTNT while refraining from making an outright attribution. However, the overall scope of the operation has become clearer now.
Morag informed The Hacker News that Datadog “identified the infrastructure at a very early stage,” and their discovery “prompted the threat actor to slightly modify their campaign.”
The attacks consist of pinpointing unauthenticated and exposed Docker API endpoints through tools like masscan and ZGrab, subsequently deploying cryptominers and offering the hijacked infrastructure for rent on a platform known as Mining Rig Rentals, allowing them to transfer the responsibility of management away from themselves – reflecting a maturation in the illegal business model.
This is executed via a scripted attack that scans for Docker daemons on specified ports across approximately 16.7 million IP addresses. The process deploys a container based on an Alpine Linux image using harmful commands.
The image is sourced from a compromised Docker Hub account under the control of the attackers, and it runs an initial shell script named the Docker Gatling Gun (“TDGGinit.sh”) to initiate post-exploitation operations.
Aqua has noted a significant shift from the previously used Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for remotely controlling the infected servers.
“Additionally, TeamTNT is maintaining its established naming conventions, including Chimaera, TDGG, and bioset (for C2 operations), reinforcing the notion that this aligns with a classic TeamTNT operation,” Morag added.
“In this ongoing campaign, TeamTNT is also utilizing anondns, a concept or service intended to provide anonymity and privacy while resolving DNS queries, to direct traffic to their web server.”
The insights coincide with Trend Micro unveiling a new campaign involving a targeted brute-force attack against an undisclosed client to deploy the Prometei crypto mining botnet.
“Prometei spreads within systems by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB),” highlighted the organization, underscoring the threat actor’s commitment to establishing persistence, avoiding security measures, and achieving greater access to an organization’s network through techniques like credential dumping and lateral movement.
“The infected machines connect to a mining pool server, which can facilitate the mining of cryptocurrencies (such as Monero) on compromised machines without the knowledge of the victims.”
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.