Summary:
The notorious cryptojacking group TeamTNT is gearing up for a large-scale attack campaign targeting cloud-native environments. This new effort focuses on exploiting exposed Docker daemons to deploy the Sliver malware, cryptominers, and a cyber worm. TeamTNT uses compromised Docker servers and Docker Hub as their infrastructure to spread the malware. In this campaign, TeamTNT's primary goal is to compromise Docker environments and incorporate them into a Docker Swarm. Once compromised, the group's monetization strategy involves offering the victims' computational power to third parties for illicit cryptocurrency mining, specifically targeting Monero. By leveraging Docker Hub to host and distribute malicious payloads, TeamTNT expands its reach, renting out compromised infrastructure on platforms like Mining Rig Rentals. This approach reflects the group's shift toward maturing their business model by outsourcing management to others.

The campaign first came to light earlier in the month when Datadog identified malicious attempts to infect Docker instances and incorporate them into a Docker Swarm. Although Datadog refrained from directly attributing the campaign to TeamTNT, Morag later confirmed that Datadog's early discovery forced the group to alter their campaign slightly.

The attack method involves scanning for unauthenticated Docker API endpoints across nearly 16.7 million IP addresses using tools like masscan and ZGrab. Once identified, these endpoints are exploited to deploy cryptominers and containers using Alpine Linux images, loaded with malicious commands. The images are hosted under a compromised Docker Hub account, "nmlm99." The initial attack involves executing a shell script called "TDGGinit[.]sh" (Docker Gatling Gun), which launches post-exploitation activities.

Security Officer Comments:
One major shift in this campaign is the transition from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework. This move enhances TeamTNT's ability to remotely control infected servers. Furthermore, the group continues to use established naming conventions like "Chimaera" and "bioset" in their C2 operations, signifying that this is a classic TeamTNT campaign. Aqua also discovered that TeamTNT is using anondns (Anonymous DNS) in this campaign, which allows them to anonymize DNS queries, further masking their infrastructure. This level of operational sophistication highlights the group's evolution in both tactics and persistence in targeting cloud infrastructure.

Suggested Corrections:
Organizations need to ensure proper security configurations for Docker instances and continuously monitor for unusual activity to stay ahead of this persistent threat. Researchers at AquaSec have also released indicators of compromise that can be used to detect and defend against TeamTNT:


IOCs:
https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/

Link(s):
https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html


https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/