The notorious hacking collective TeamTNT has initiated a fresh campaign targeting cloud-native setups to mine cryptocurrencies, while also monetizing by leasing compromised servers to third-party clients.
This new wave of attacks seems poised for significant impact, aimed at Docker environments to mine digital currency and deploy malicious software.
The group is primarily focusing on vulnerable Docker daemons, using these to deploy the Sliver malware, a cyber worm, and cryptocurrency miners. Researchers have noted that compromised servers and Docker Hub accounts act as a launchpad for TeamTNT’s malware, spreading the infections further.
TeamTNT’s recurring attacks highlight their adaptability, evolving techniques, and growing complexity, with the ultimate goal of pulling Docker environments into a collective Docker Swarm.
In this campaign, TeamTNT has not only utilized Docker Hub to distribute malware but has also leveraged infected systems to provide computational power for third-party cryptocurrency mining, thereby expanding their profit channels.
Early signs of these attacks were detected in October, when initial evidence suggested that infected Docker instances were being herded into a Docker Swarm. Although attribution to TeamTNT was not confirmed at that time, recent analysis now reveals the larger scope of their operation.
The attacks involve scanning public Docker API endpoints that lack authentication using tools like masscan and ZGrab, allowing them to deploy miners and sell access to compromised systems on platforms such as Mining Rig Rentals. This setup reflects the maturity of TeamTNT’s operation, automating their revenue by offloading infrastructure management.
The attack relies on a custom script to identify and exploit Docker daemons on ports 2375, 2376, 4243, and 4244, targeting millions of IPs. Once compromised, an Alpine Linux container with embedded malicious commands is deployed. Through a breached Docker Hub account, TeamTNT deploys an initial script, TDGGinit.sh, initiating their post-exploit strategy.
A key difference in this campaign is their switch from using the Tsunami backdoor to the open-source Sliver C2 (command-and-control) framework, allowing for remote control over infected servers.
Consistent with their past behavior, they continue to use familiar naming patterns like Chimaera and TDGG, further confirming their involvement.
In addition, TeamTNT employs “anondns” to anonymize DNS queries linked to their web server, enhancing their operational secrecy. Concurrently, another researcher has reported a similar campaign by an unknown attacker using brute-force tactics to install the Prometei crypto-mining botnet, which exploits Remote Desktop Protocol (RDP) and Server Message Block (SMB) vulnerabilities.
To counter such sophisticated attacks, organizations should implementing rigorous vulnerability management, such as regular patching and disabling unnecessary open ports, can significantly reduce exposure.
Adopting tools that provide anomaly detection also help mitigate risks associated with cloud-based attacks.