The notorious cryptojacking group, TeamTNT, seems poised for a new, large-scale assault on cloud-native environments, aiming to mine cryptocurrency and lease out breached servers to third-party entities.
Currently, the group is exploiting exposed Docker daemons to deploy Sliver malware—a type of cyber worm—and cryptominers, using compromised servers and Docker Hub as infrastructure to propagate their malware, according to Assaf Morag, director of threat intelligence at cloud security company Aqua, in a report published on Friday.
The ongoing attacks underline TeamTNT’s persistence and adaptability, showcasing its evolving strategies for complex, multi-stage campaigns intended to compromise Docker environments and transform them into a Docker Swarm. Besides using Docker Hub to distribute their malicious payloads, TeamTNT is also leveraging victims' computational power for unauthorized cryptocurrency mining, broadening its methods of financial gain.
Earlier this month, Datadog detected suspicious efforts to recruit infected Docker instances into a Docker Swarm, speculating that TeamTNT might be responsible, though they stopped short of an official attribution. Until recently, the full scope of this campaign had been unclear.
Morag told The Hacker News that Datadog's early detection of the infrastructure prompted TeamTNT to slightly modify its strategy. The attacks involve locating unauthenticated, exposed Docker API endpoints with tools like masscan and ZGrab, which are then exploited to deploy cryptominers and rent out the compromised infrastructure on platforms like Mining Rig Rentals, effectively offloading management to renters—a sign of their growing operational sophistication.
The attacks rely on a script that scans approximately 16.7 million IP addresses, searching for Docker daemons on ports 2375, 2376, 4243, and 4244. It then launches an Alpine Linux container preloaded with malicious commands.
The container image, originating from a compromised Docker Hub account ("nmlm99"), executes an initial shell script called Docker Gatling Gun ("TDGGinit.sh") to initiate further exploitative actions.
In a noteworthy shift, Aqua observed TeamTNT’s replacement of the Tsunami backdoor with the Sliver command-and-control (C2) framework, enhancing its control over infected servers. The group is also sticking with its trademark naming conventions, such as Chimaera, TDGG, and bioset (used in C2 operations), reinforcing the classic TeamTNT campaign signature. This time, they are employing anondns, an anonymous DNS service, to mask the IP address of their web server.
Simultaneously, Trend Micro revealed a new campaign featuring brute-force attacks aimed at delivering the Prometei crypto mining botnet to an unnamed target.
Prometei propagates by exploiting Remote Desktop Protocol (RDP) and Server Message Block (SMB) vulnerabilities, establishing persistence, evading security defenses, and accessing deeper parts of a network through credential dumping and lateral movement. The infected machines connect to a mining pool server, which surreptitiously mines Monero cryptocurrency, unbeknownst to the victim.
Credit:TheHackerNews.
