TeamTNT Targets the Cloud: New Campaign Leverages Docker for Cryptojacking

The TeamTNT group is preparing for a major new campaign targeting cloud environments to mine cryptocurrencies and rent compromised servers to third parties. Experts at AquaSec have observed the group’s activity, which exploits vulnerable Docker daemons to distribute malware and cryptominers.

Among the tools employed are the Sliver framework for managing compromised servers and various cryptocurrency miners. Docker Hub serves as a repository and distribution point for malicious containers, while infected machines become part of a Docker Swarm, creating a network for illicit mining.

Previously, Datadog had warned of attempts to co-opt infected Docker instances into such networks, though until now, there was no conclusive evidence linking these efforts to TeamTNT. AquaSec has confirmed that earlier investigations prompted the attackers to adjust their tactics, demonstrating their adaptability.

The group actively searches for open Docker APIs using masscan and ZGrab scanners. The vulnerabilities found enable the deployment of containers with malicious scripts across millions of IP addresses. One such container uses an Alpine Linux image and initiates a script named “TDGGinit.sh” for further attacks. A compromised Docker Hub account under the name “nmlm99” serves as the source of these images.

A distinctive feature of this new campaign is the use of the Sliver framework in place of TeamTNT’s usual backdoor, Tsunami. To ensure anonymity, the group has also incorporated the AnonDNS service to obscure DNS requests.

Meanwhile, Trend Micro recently reported on another campaign involving the Prometei botnet, which spreads through RDP and SMB protocol vulnerabilities. Infected machines are connected to a Monero mining pool, often unbeknownst to their owners, who remain unaware of their resources being exploited.