Threat Research

TeamTNT Launches Docker Gatling Gun Campaign

Securonix

TeamTNT is gearing up for a large-scale cloud-native attack by targeting exposed Docker daemons to deploy Sliver malware and cryptominers, leveraging compromised servers and Docker Hub for distribution and persistence. The campaign marks a return to their roots with new tools like Sliver, replacing Tsunami for stealthier operations, and expanding with cloud-native infrastructure and new domains. #TeamTNT #Sliver

Keypoints

  • TeamTNT is targeting exposed Docker daemons to deploy Sliver malware and cryptominers.
  • The group uses compromised servers and Docker Hub as infrastructure for distribution and persistence, including Docker Swarm.
  • They replaced the Tsunami backdoor with Sliver for stealthier operations, with Sliver supporting multi-protocol C2.
  • Indicators include naming conventions (e.g., Chimaera) and familiar infrastructure patterns tied to TeamTNT.
  • The campaign exploits exposed Docker daemons on specific ports to gain initial access via what is dubbed the Docker Gatling Gun.
  • Sliver’s multi-protocol C2 (including DNS, HTTP(S), mTLS, WireGuard) complicates detection.
  • New domains and cloud-native tools are being tested, with ongoing use of Docker Hub for hosting and distribution.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Initial access by exploiting exposed Docker daemons on ports 2375, 2376, 4243, and 4244. [‘Initial access by exploiting exposed Docker daemons on ports 2375, 2376, 4243, and 4244.’]
  • [T1059] Command and Scripting Interpreter – Execution of the initial script TDGGinit.sh on compromised systems. [‘Execution of the initial script TDGGinit.sh on compromised systems.’]
  • [T1572] Modify Cloud Compute Infrastructure – Create Cloud Instance – Downloading Docker and Dockerswarm binaries to persist in the environment. [‘Downloading Docker and Dockerswarm binaries to persist in the environment.’]
  • [T1203] Ex exploitation for Defense Evasion – Using Sliver malware to evade traditional detection methods. [‘Using Sliver malware to evade traditional detection methods.’]
  • [T1036] Masquerading – Using familiar naming conventions like Chimaera to evade detection. [‘Using familiar naming conventions like Chimaera to evade detection.’]
  • [T1014] Rootkit – Deployment of prochider rootkit found in TeamTNT’s download server. [‘Deployment of prochider rootkit found in TeamTNT’s download server.’]
  • [T1081] Unsecured Credentials: Credentials in Files – Searching for and accessing credentials such as SSH and cloud metadata. [‘Searching for and accessing credentials such as SSH and cloud metadata.’]
  • [T1046] Network Service Scanning – Using tools like masscan to scan for exposed Docker daemons. [‘Using tools like masscan to scan for exposed Docker daemons.’]
  • [T1018] Remote System Discovery – Local network scanning to find additional systems to compromise. [‘Local network scanning to find additional systems to compromise.’]
  • [T1071] Web Service – Dead Drop Resolver – Using Docker Hub and web servers for malware distribution and management. [‘Using Docker Hub and web servers for malware distribution and management.’]
  • [T1071] Application Layer Protocol – DNS – Using DNS for C2 communication with Sliver malware. [‘Using DNS for C2 communication with Sliver malware.’]
  • [T1090] Proxy – Using WireGuard and other proxy techniques for C2 communications. [‘Using WireGuard and other proxy techniques for C2 communications.’]
  • [T1496] Resource Hijacking – Running cryptominers and selling computation power of victims. [‘Running cryptominers and selling computation power of victims.’]

Indicators of Compromise

  • [IP Address] Host download server – 188.114.96.7, 104.21.8.145, 172.67.130.114, 45.154.2.77, and 95.182.101.23
  • [Domain] Domains – solscan.life, solscan.one, solscan.online, solscan.store, devnull.anondns.net, teamtnt.red
  • [Binary file] prochider (xmrig.so) – MD5=b62ce36054a7e024376b98df7911a5a7
  • [Binary file] prochider (systemd.so) – MD5=64c3ac5a0f4318f64f438e78a6b42d40
  • [Binary file] Sliver Malware (SPLENDID_ISLAND) – MD5=8b553728900ba2e45b784252a1ff6d17
  • [Binary file] Sliver Malware (bioset) – MD5=9dc2819c176c60e879f28529b1b08da1
  • [Shell script] TDGGinit – MD5=a733160e0603207d8328ddb025c43d42
  • [Shell script] TDGG – MD5=fdf9c2f7221de9f3567fc094d5e759a9
  • [Shell script] docker – MD5=0bc189bb53c9c92322e7b2fd6ac68bd7
  • [Perl script] scan.pl – MD5=db2fbe4d00b222cab6dd00cdfdd38e31
  • [Docker Hub Account] nmlm99 – https://hub.docker.com/u/nmlm99

Read more: https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint