Infamous Hacker Group TeamTNT Unleashes Fresh Cloud Attacks for Cryptocurrency Mining
The notorious cryptojacking group TeamTNT is ramping up for a significant new campaign targeting cloud-native environments to mine cryptocurrency and rent compromised servers to third parties.
According to Assaf Morag, director of threat intelligence at cloud security firm Aqua, TeamTNT's current tactics involve targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers. The group leverages compromised servers and Docker Hub as infrastructure to spread their malware, underscoring their relentless efforts to breach Docker environments and add them to a Docker Swarm.
In this campaign, TeamTNT hosts malicious payloads on Docker Hub, allowing them to use victims' computational power not only for their mining activities but also for renting out to others. This approach diversifies their revenue model and increases the profitability of their operations.
Initial signs of this campaign surfaced earlier this month when Datadog identified attempts to herd infected Docker instances into a Docker Swarm. Although Datadog hinted TeamTNT might be behind the attacks, they refrained from confirming attribution. However, Aqua's findings now provide more clarity on the scope of the operation.
Morag revealed that Datadog’s early discovery led TeamTNT to adjust its campaign, which relies on unauthenticated Docker API endpoints. Using tools like masscan and ZGrab, TeamTNT locates exposed endpoints to deploy cryptominers and sells this compromised infrastructure on the Mining Rig Rentals platform.
Their attack script scans Docker daemons on ports 2375, 2376, 4243, and 4244 across 16.7 million IPs, deploying containers with Alpine Linux images and executing a malicious script known as the Docker Gatling Gun (TDGGinit.sh) to escalate post-exploitation activities.
A notable shift in tactics is TeamTNT’s move from the Tsunami backdoor to the Sliver command-and-control (C2) framework, indicating an evolution in their control over infected servers. Their use of unique identifiers like Chimaera and TDGG reaffirms TeamTNT’s involvement. They also employ AnonDNS (Anonymous DNS) for added anonymity.
Meanwhile, Trend Micro has uncovered a related campaign involving brute-force attacks to distribute the Prometei crypto mining botnet. Prometei exploits RDP and SMB vulnerabilities to gain a foothold, evade detection, and escalate privileges, ultimately enabling it to mine Monero cryptocurrency on compromised systems undetected.