Man
Professional
- Messages
- 3,066
- Reaction score
- 593
- Points
- 113
Attackers are mastering new monetization schemes on hijacked servers.
TeamTNT Group is preparing for a major new campaign targeting cloud environments for cryptocurrency mining and renting compromised servers to third parties. AquaSec experts have recorded the activity of a group that uses vulnerable Docker daemons to distribute malware and cryptominers.
Among the tools involved are the Sliver framework for managing hacked servers, as well as various cryptocurrency miners. Docker Hub is used to store and distribute malicious containers, and infected machines become part of Docker Swarm, creating a network for illegal mining.
Datadog has previously warned about attempts to involve infected Docker instances in such a network, but until now there was no definitive evidence that TeamTNT was behind this. AquaSec confirmed that previous investigations have forced the attackers to adjust their methods, showing their ability to adapt.
The group is actively looking for open Docker APIs using masscan and ZGrab scanners. The vulnerabilities found make it possible to deploy containers with malicious scripts on millions of IP addresses. One such container uses the Alpine Linux image and runs a script called "TDGGinit.sh" for further attacks. A compromised Docker Hub account named "nmlm99" serves as the source of these images.
A distinctive feature of the new campaign was the use of the Sliver framework instead of the usual TeamTNT Tsunami backdoor. To ensure anonymity, the group also implemented the AnonDNS service to hide DNS requests.
Meanwhile, Trend Micro recently reported on another campaign related to the Prometei botnet, which spreads through RDP and SMB protocol vulnerabilities. Infected machines connect to the Monero mining pool, while the owners are not even aware of the use of their resources.
Source
TeamTNT Group is preparing for a major new campaign targeting cloud environments for cryptocurrency mining and renting compromised servers to third parties. AquaSec experts have recorded the activity of a group that uses vulnerable Docker daemons to distribute malware and cryptominers.
Among the tools involved are the Sliver framework for managing hacked servers, as well as various cryptocurrency miners. Docker Hub is used to store and distribute malicious containers, and infected machines become part of Docker Swarm, creating a network for illegal mining.
Datadog has previously warned about attempts to involve infected Docker instances in such a network, but until now there was no definitive evidence that TeamTNT was behind this. AquaSec confirmed that previous investigations have forced the attackers to adjust their methods, showing their ability to adapt.
The group is actively looking for open Docker APIs using masscan and ZGrab scanners. The vulnerabilities found make it possible to deploy containers with malicious scripts on millions of IP addresses. One such container uses the Alpine Linux image and runs a script called "TDGGinit.sh" for further attacks. A compromised Docker Hub account named "nmlm99" serves as the source of these images.
A distinctive feature of the new campaign was the use of the Sliver framework instead of the usual TeamTNT Tsunami backdoor. To ensure anonymity, the group also implemented the AnonDNS service to hide DNS requests.
Meanwhile, Trend Micro recently reported on another campaign related to the Prometei botnet, which spreads through RDP and SMB protocol vulnerabilities. Infected machines connect to the Monero mining pool, while the owners are not even aware of the use of their resources.
Source
