Cybersecurity researchers at Aqua Nautilus have discovered a new hacking campaign by Adept Libra (aka TeamTNT), targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and crypto miners.
TeamTNT is a notorious hacking group known for aggressive and persistent attacks on cloud-native environments. The group is known for exploiting vulnerabilities in Docker daemons and Kubernetes clusters to deploy malware and hijack resources for cryptocurrency mining.
In a recent campaign, TeamTNT compromised a legitimate Docker Hub account (nmlm99) to host malicious software, uploading around 30 images divided into two categories: infrastructure and impact. The infrastructure images are used to spread malware, while the impact images focus on mining cryptocurrency or renting out computing power.[1]
Attack Flow
TeamTNT’s signature
TeamTNT is using Docker Gatling Gun, which scans a massive range of IP addresses (around 16.7 million) for vulnerabilities in Docker daemons running on specific ports (2375, 2376, 4243, and 4244). If a vulnerability is found, a container from a compromised TeamTNT Docker Hub account is deployed, running a minimal Alpine Linux operating system and executing a malicious script called “TDGGinit.sh”. This script likely sets the stage for further malicious activity on the compromised system. “TeamTNT deploys among other a local search of keys and credentials, such as SSH, cloud metadata server calls etc. Once they gain access, they store and disseminate their malware through these accounts,” the report read.
To evade detection, TeamTNT employs the Sliver malware, a more advanced and stealthier tool compared to their previous tool, Tsunami. They also use familiar names like Chimaera and Bioset to blend in with legitimate processes. Additionally, they steal credentials and scan networks for further targets.
For command and control, TeamTNT relies on web servers, Docker Hub, and various communication protocols like DNS, mTLS, and potentially proxies. Ultimately, their goal is to hijack resources for cryptocurrency mining or sell access to the compromised systems.
To mine cryptocurrency, such as Monero, TeamTNT uses various mining software, including XMRig, T-Rex, CGMiner, BFGMiner, and SGMiner. They often optimize mining operations by targeting specific hardware and software configurations.
This campaign shows TeamTNT’s ability to adapt and evolve, urging organizations to be alert and upgrade their cybersecurity. The group is highly skilled and motivated and is not afraid to take risks. To protect against TeamTNT risks, organizations must invest in strong security practices, including software updates and network infrastructure security.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://hackread.com/teamtnt-exploits-ips-malware-attack-docker-clusters/#google_vignette
Comments