Summary:
TeamTNT, a notorious hacking group, is launching a new campaign targeting cloud-native environments by exploiting exposed Docker daemons to deploy Sliver malware and cryptominers. This campaign marks a return to their original tactics while leveraging cloud capabilities and compromised infrastructure for large-scale attacks. #TeamTNT #SliverMalware #CloudSecurity
TeamTNT, a notorious hacking group, is launching a new campaign targeting cloud-native environments by exploiting exposed Docker daemons to deploy Sliver malware and cryptominers. This campaign marks a return to their original tactics while leveraging cloud capabilities and compromised infrastructure for large-scale attacks. #TeamTNT #SliverMalware #CloudSecurity
Keypoints:
TeamTNT is preparing for a large-scale attack on cloud native environments.
The group targets exposed Docker daemons to deploy Sliver malware and cryptominers.
They are utilizing Docker Hub for malware distribution and renting victims’ computational power.
Sliver malware replaces the previously used Tsunami backdoor, enhancing stealth and control.
Initial access is gained by exploiting exposed Docker daemons on specific ports.
TeamTNT has registered new domains to host malicious binaries and scripts.
The campaign employs various MITRE ATT&CK techniques for execution and persistence.
Organizations are urged to secure Docker instances and monitor for unusual activity.
MITRE Techniques:
Exploit Public-Facing Application (T1190): TeamTNT gains initial access by exploiting exposed Docker daemons on ports 2375, 2376, 4243, and 4244.
Command and Scripting Interpreter (T1059): The initial script, TDGGinit.sh, is executed on compromised systems to launch subsequent malicious actions.
Modify Cloud Compute Infrastructure – Create Cloud Instance (T1098): TeamTNT downloads Docker and Dockerswarm binaries and exposes Docker instances to a Docker Swarm.
Exploitation for Defense Evasion (T1203): Sliver malware evades detection through dynamic compilation with per-binary encryption keys.
Masquerading (T1036): TeamTNT uses familiar naming conventions to evade detection.
Unsecured Credentials: Credentials in Files (T1081): They search for keys and credentials to disseminate malware.
Network Service Scanning (T1046): TeamTNT uses tools like masscan to scan for exposed Docker daemons.
Web Service – Dead Drop Resolver (T1071): Docker Hub and web servers are used to store and distribute malware.
Application Layer Protocol – DNS (T1071): Sliver malware supports DNS for Command and Control (C2) communication.
Resource Hijacking (T1496): Running a cryptominer or selling computation power of their victims.
IoC:
[IP Address] 188.114.96.7
[IP Address] 104.21.8.145
[IP Address] 172.67.130.114
[IP Address] 45.154.2.77
[IP Address] 95.182.101.23
[Domain] solscan.life
[Domain] solscan.one
[Domain] solscan.online
[Domain] solscan.store
[Domain] devnull.anondns.net
[Domain] teamtnt.red
[Binary file] MD5=b62ce36054a7e024376b98df7911a5a7 prochider (xmrig.so)
[Binary file] MD5=64c3ac5a0f4318f64f438e78a6b42d40 prochider (systemd.so)
[Binary file] MD5=8b553728900ba2e45b784252a1ff6d17 Sliver Malware (SPLENDID_ISLAND)
[Binary file] MD5=9dc2819c176c60e879f28529b1b08da1 Sliver Malware (bioset)
[Shell script] MD5=a733160e0603207d8328ddb025c43d42 TDGGinit, TDGGinit.sh
[Shell script] MD5=fdf9c2f7221de9f3567fc094d5e759a9 TDGG, TDGG.sh
[Shell script] MD5=0bc189bb53c9c92322e7b2fd6ac68bd7 docker
[Perl script] MD5=db2fbe4d00b222cab6dd00cdfdd38e31 scan.pl
[Docker Hub Account] nmlm99
Full Research: https://blog.aquasec.com/threat-alert-teamtnts-docker-gatling-gun-campaign