The cryptojacking group TeamTNT appears poised for a large-scale attack campaign, setting its sights on cloud-native environments to exploit resources for cryptocurrency mining and offering rented access to breached servers.
In a report from Aqua Security, Assaf Morag, Director of Threat Intelligence, explains that TeamTNT has begun targeting open Docker APIs to deploy the Sliver malware, a powerful cyber worm, alongside cryptominers. “The group is currently targeting exposed Docker daemons using compromised servers and Docker Hub to spread their malware,” Morag states, underlining TeamTNT’s growing sophistication in multi-stage cloud attacks.
Docker Daemon Exploits for Cloud Attacks
TeamTNT’s campaign primarily exploits Docker Hub and compromised Docker APIs to distribute malicious payloads. Initial signs of the attack emerged earlier this month when Datadog observed attempts to compromise Docker instances, potentially linking the campaign to TeamTNT. As Morag notes, “Datadog found the infrastructure in a very early stage,” prompting TeamTNT to adjust its tactics.
Using an automated script to scan for vulnerable Docker daemons on ports 2375, 2376, 4243, and 4244, the group targets nearly 16.7 million IP addresses. Once a vulnerable endpoint is detected, they deploy a container using an Alpine Linux image with embedded malicious commands, managed through a Docker Hub account under TeamTNT’s control.
Shift to Sliver C2 Framework
Aqua’s research highlights a notable shift in TeamTNT’s approach—moving from the Tsunami backdoor to the Sliver command-and-control (C2) framework. The shift allows TeamTNT more robust control over infected machines. This campaign also introduces “anondns” (Anonymous DNS) to disguise server connections, further enhancing the group’s ability to evade detection.
TeamTNT’s use of Docker Swarm to coordinate and control compromised servers signifies an evolution in cloud-based cryptojacking tactics. By redirecting their victims’ computational power for cryptocurrency mining or renting it to third parties, TeamTNT has adopted a diversified, mature monetization model.
Prometei Botnet Resurgence
This new TeamTNT campaign arrives alongside reports from Trend Micro of a resurgence in the Prometei crypto mining botnet, which targets Remote Desktop Protocol (RDP) and Server Message Block (SMB) vulnerabilities. Once infected, machines connect to mining pools to mine Monero, draining resources without the victim’s knowledge.
October 28, 2024
October 28, 2024
October 28, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
