TeamTNT’s Docker Gatling Gun Campaign
TeamTNT, a known hacking group, has launched a new campaign targeting exposed Docker daemons. The group deploys Sliver malware, a cyberworm, and cryptominers, using compromised servers and Docker Hub to spread malware. They leverage cloud environments by adding compromised Docker instances to a Docker Swarm and using Docker Hub to distribute malware, renting victims' computational power for cryptomining. The attack flow begins with exploiting exposed Docker daemons (ports 2375, 2376, 4243, and 4244) using a script called "Docker Gatling Gun," which deploys a container with malicious commands. Sliver malware, replacing the older Tsunami backdoor, facilitates command and control. TeamTNT uses compromised Docker Hub accounts (like nmlm99) to host malware images, including those for cryptomining (XMRIG, T-Rex miner, CGMiner, BFGMiner, and SGMiner). The campaign also involves using compromised web servers (solscan.life, solscan.one, solscan.online, solscan.store) and potentially IRC servers (port 6670). The group's tactics align with MITRE ATT&CK framework techniques, including exploiting public-facing applications, command execution, persistence, defense evasion (using Sliver and familiar naming conventions like Chimaera), credential access, and resource hijacking. Indicators of compromise (IOCs) include specific IP addresses, domains, and malware file hashes.
The attacker began by exploiting exposed Docker daemons (T1190) using a script called "Docker Gatling Gun," deploying a container with malicious commands (T1059). Container Drift Protection (Binaries & Scripts) prevents the execution of unauthorized binaries and scripts, thus mitigating the deployment of the malicious container. Subsequently, the attacker used Sliver malware (T1211) for command and control (T1071.004, T1090), and to execute further commands (T1059). Container Drift Protection (Binaries & Scripts) again plays a crucial role by preventing the execution of any unauthorized binaries or scripts introduced by the malware. Finally, the attacker leveraged compromised Docker instances in a Docker Swarm (T1578.002) for persistence and to hijack resources (T1496) for cryptomining.
- T1190: Exploit Public-Facing Application: The attack gains initial access by exploiting exposed Docker daemons on ports 2375, 2376, 4243, and 4244. This is a well-known technique used to compromise systems that have publicly accessible services.
- T1059: Command and Scripting Interpreter: The initial script, TDGGinit.sh, is executed on compromised systems to launch subsequent malicious actions.
- T1578.002: Modify Cloud Compute Infrastructure: Create Cloud Instance: TeamTNT appends compromised Docker instances to a Docker Swarm, allowing them to persist in the environment as part of a larger cluster, ensuring continued access and control.
- T1211: Exploitation for Defense Evasion: TeamTNT uses Sliver malware, which replaces their previous Tsunami malware. Sliver is harder to detect and evades traditional detection methods by dynamically compiling with per-binary encryption keys.
- T1036: Masquerading: TeamTNT uses names like Chimaera and other familiar naming conventions to evade detection by masquerading as legitimate processes or infrastructure.
- T1014: Rootkit: We found the prochider rootkit ready to deploy in TeamTNT’s download server. They are known to use this in the past.
- T1552: Unsecured Credentials: TeamTNT deploys local searches for keys and credentials, such as SSH, cloud metadata server calls, etc., once they gain access.
- T1046: Network Service Discovery: TeamTNT uses tools like Masscan to aggressively scan the internet for exposed Docker daemons and other vulnerable systems, identifying additional targets.
- T1018: Remote System Discovery: The campaign involves local network scanning to find additional systems that can be compromised.
- T1102.001: Web Service: Dead Drop Resolver: TeamTNT uses Docker Hub and web servers as part of their infrastructure to store and distribute malware and to manage infected systems.
- T1071.004: Application Layer Protocol: DNS: TeamTNT’s use of Sliver malware supports DNS for Command and Control (C2) communication, in addition to HTTP(S) and mTLS.
- T1090: Proxy: Sliver supports WireGuard and other proxy techniques to tunnel C2 communications through legitimate channels, bypassing detection.
- T1496: Resource Hijacking: Running a cryptominer as part of the campaign or selling the computational power of their victims.
