The notorious cryptojacking group, known as, appears poised to launch a massive new marketing push targeting cloud-native environments for cryptocurrency mining and offering compromised servers for rent to external parties.
The group is currently concentrating on exploiting uncovered Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, leveraging compromised servers and Docker Hub as the infrastructure to orchestrate their malicious activities, says Assaf Morag, director of threat intelligence at cloud security firm Aqua, in a report published Friday.
The latest assault exercise serves as a testament to the relentless and adaptable nature of the malicious actor, which has successfully evolved its tactics to launch multi-stage attacks designed to compromise Docker environments and subsequently integrate them into a Docker Swarm.
Besides leveraging Docker Hub to deploy and disseminate malware, TeamTNT has been observed hijacking victim systems to harness computational power for illegal cryptocurrency mining operations, expanding its revenue streams through diversification.
The rumblings of the alleged assault marketing campaign gained traction this month when Datadog revealed efforts to contain tainted Docker instances within a Docker Swarm, fueling speculation that TeamTNT might be behind the operation, although no formal attribution was made. While the scope and magnitude of the operation remained unclear, until today.
Datadog reportedly identified the malicious infrastructure at an early stage, prompting the threat actor to modify its tactics.
The attacks involve exploiting unauthenticated and undiscovered Docker API endpoints using masscan and ZGrab, which enables the deployment of cryptominers on compromised infrastructure and selling access to others on a mining rental platform called Mining Rig Leases, effectively outsourcing the task to others, signifying the evolution of illicit business models.
A particularly aggressive tactic involves a scanning script that systematically searches for Docker daemons operating on ports 2375, 2376, 4243, and 4244 across approximately 16.7 million unique IP addresses. The system then launches a container running an Alpine Linux image containing nefarious code.
When a compromised Docker Hub account (“nmlm99”) is accessed by attackers, an initial shell script called “Docker Gatling Gun” (TDGGinit.sh) is executed, subsequently triggering post-exploitation activities.
Notable among the changes observed by Aqua is a significant pivot away from the Tsunami backdoor, instead embracing an open-source command-and-control (C2) framework that enables remote control of compromised servers.
Noting TeamTNT’s consistent branding strategies, Morag observed that “Chimaera,” “TDGG,” and “bioset” – labels reminiscent of previous C2 operations – strengthen the notion that this is a signature TeamTNT marketing effort.
To maintain the anonymity of its users, TeamTNT may employ AnonDNS, a service that resolves DNS queries while preserving privacy. This allows them to direct traffic to their servers without compromising user identities.
The investigation yields surprising results, as Development Micro’s latest marketing initiative is revealed to be a concerted effort to launch a targeted brute-force attack against an unidentified individual, with the goal of distributing their crypto-mining botnet.
“Prometei exploits vulnerabilities in RDP and SMB protocols to spread within the system, initially establishing persistence through credential dumping and lateral movement.”
The affected machines connect with a mining pool server that enables cryptocurrency mining (specifically Monero) on compromised devices without the user’s knowledge or consent.
