Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

TeamTNT, a notorious cryptojacking group, is reportedly preparing for a significant new campaign aimed at exploiting cloud-native environments to mine cryptocurrencies and renting out compromised servers. According to Assaf Morag, director of threat intelligence at Aqua, the group is currently focusing on exposed Docker daemons to deploy Sliver malware, which is a form of cyber worm, alongside cryptominers. The operation utilizes compromised servers and Docker Hub as its infrastructure to disseminate their malicious software.

The recent activity by TeamTNT illustrates the group’s ongoing ingenuity and adaptability, evidenced by its multi-stage attacks that compromise Docker environments and convert them into a Docker Swarm. Their tactics include leveraging Docker Hub for hosting and distributing harmful payloads, while also offering victims’ computing resources to other entities for illicit mining purposes, thereby expanding their revenue generation strategies.

Emerging reports earlier in October indicated potential TeamTNT involvement when Datadog noted attempts to consolidate infected Docker instances into a Docker Swarm, although they did not officially attribute the activities to the group. Morag elaborated that Datadog discovered the campaign’s infrastructure at an early phase, which compelled the attackers to modify their approach.

The attack methodology primarily involves scanning for unauthenticated and exposed Docker API endpoints using tools like masscan and ZGrab. Once identified, these endpoints enable the deployment of cryptominers and the commercial leasing of the compromised infrastructure on mining rental platforms, such as Mining Rig Rentals. This evolution reflects the sophistication of illegal business models within the cybercriminal landscape.

To execute their attacks, TeamTNT employs a script that scans ports 2375, 2376, 4243, and 4244 across approximately 16.7 million IP addresses. The script deploys a container based on an Alpine Linux image endowed with malicious commands, retrieved from a compromised Docker Hub account designated as “nmlm99.” The deployed image also runs an initial shell script named Docker Gatling Gun, designated for subsequent exploitation activities.

Notably, there has been a strategic shift from the previously used Tsunami backdoor to the open-source Sliver command-and-control (C2) framework, which facilitates remote control over the infected servers. Morag observed that TeamTNT continues to maintain recognizable naming conventions for their operations, such as Chimaera and TDGG, reaffirming the signature characteristics of their campaigns.

Additionally, TeamTNT has integrated the use of AnonDNS services to enhance anonymity when resolving DNS queries that lead to their malicious web servers. This step is indicative of their continued commitment to obfuscating their activities and maintaining operational security.

In a related context, Trend Micro recently disclosed a different campaign involving a targeted brute-force attack aimed at delivering the Prometei crypto mining botnet to an unspecified client. This botnet exploits vulnerabilities within Remote Desktop Protocol (RDP) and Server Message Block (SMB) to infiltrate systems, establish persistence, and bypass security measures. Compromised machines are then directed to connect to a mining pool server for mining Monero without the victims’ awareness.

Overall, the evolving tactics and strategies of cybercriminal groups such as TeamTNT and the emergence of new threats like Prometei underscore the increasingly complex and dangerous landscape of cloud security and cryptocurrency exploitation, necessitating constant vigilance and proactive security measures from organizations worldwide.