The notorious cryptojacking group TeamTNT is preparing a new large-scale campaign aimed at cloud-native environments to mine cryptocurrencies and rent compromised servers to third parties.
“TeamTNT is currently exploiting exposed Docker daemons to deploy the Sliver malware, a cyber worm, and cryptominers, leveraging compromised servers and Docker Hub as infrastructure to spread their malware,” reported Assaf Morag, director of threat intelligence at Aqua Security, in a report published Friday.
This activity underscores TeamTNT’s persistence and its evolving tactics in executing multi-stage attacks, with the aim of compromising Docker environments and enlisting them in a Docker Swarm.
Beyond using Docker Hub for hosting and distributing malicious payloads, TeamTNT has also been observed selling victims’ computational resources to third parties for cryptocurrency mining, expanding its monetization efforts.
Hints of this campaign surfaced earlier this month when Datadog identified attempts to link infected Docker instances into a Docker Swarm, suggesting potential involvement by TeamTNT while refraining from a definitive attribution. However, the scope of the operation has become clearer now.
Morag told The Hacker News that Datadog “identified the infrastructure in an early phase,” prompting TeamTNT to adjust its campaign strategy.
These attacks involve scanning for unauthenticated, exposed Docker API endpoints using masscan and ZGrab to deploy cryptominers and offer the compromised infrastructure for rent on a mining rental platform called Mining Rig Rentals, effectively outsourcing server management.
The campaign includes an attack script that scans Docker daemons on ports 2375, 2376, 4243, and 4244 across nearly 16.7 million IP addresses, deploying a container with an Alpine Linux image containing malicious commands.
The Alpine image, pulled from a compromised Docker Hub account (“nmlm99“) under TeamTNT’s control, also runs an initial shell script named Docker Gatling Gun (“TDGGinit.sh“) to kickstart post-exploitation.
Aqua Security observed a notable shift in tactics, with TeamTNT moving from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework to remotely control infected servers.
“TeamTNT continues to use familiar naming conventions like Chimaera, TDGG, and bioset for C2 operations, reinforcing the signature of a TeamTNT campaign,” Morag said.
Additionally, in this campaign, TeamTNT employs AnonDNS (Anonymous DNS), a privacy-focused DNS solution, to point to their command-and-control server.
Meanwhile, Trend Micro has revealed a new campaign involving a brute-force attack on an unnamed organization, delivering the Prometei cryptomining botnet.
“Prometei spreads by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB),” said the company, noting the attacker’s focus on establishing persistence, evading detection, and enhancing network access via credential dumping and lateral movement.
The compromised machines then connect to a mining pool server, enabling Monero cryptocurrency mining on infected systems without the victim’s awareness.
Source: TheHackerNews
