Sliver Malware

The notorious cryptojacking group TeamTNT seems to be gearing up for a fresh, large-scale campaign focused on infiltrating cloud-native environments to mine cryptocurrency and rent compromised servers to third parties.

Their current strategy involves:

• Exploiting exposed Docker daemons to deploy the Sliver malware.
• A cyber worm and crypto-miner.
• Leveraging both compromised servers and Docker Hub to spread their threatening software.

These activities highlight TeamTNT's persistent evolution in attack methods. It consistently adapts to launch complex, multi-stage attacks aimed at compromising Docker environments and recruiting them into a Docker Swarm.

In addition to using Docker Hub to host and distribute their malevolent payloads, TeamTNT has been seen renting out victims' computational power to other parties for unauthorized cryptocurrency mining, expanding its revenue streams.

Signs of this campaign surfaced earlier this month when researchers identified unorthodox efforts to cluster compromised Docker instances into a Docker Swarm. While initially hesitant to attribute these attacks to TeamTNT directly, researchers now believe the operation is far more extensive than initially understood.

How the New TeamTNT Attacks Work

The attacks involve detecting unauthenticated, exposed Docker API endpoints through masscan and ZGrab to deploy crypto-miners and list compromised infrastructure for rent on the Mining Rig Rentals platform, allowing TeamTNT to avoid managing these resources directly—highlighting the sophistication of their illicit business model.

This process uses an attack script that scans Docker daemons on ports 2375, 2376, 4243, and 4244 across approximately 16.7 million IP addresses, then deploys a container with an Alpine Linux image embedded with corrupted commands.

The image, sourced from a compromised Docker Hub account ('nmlm99'), executes an initial shell script known as the Docker Gatling Gun ('TDGGinit.sh') to launch further exploitation tasks.

A key update noted by researchers is TeamTNT's shift from the Tsunami backdoor to the Sliver Command-and-Control (C2) framework for remote control of infected servers, demonstrating an evolution in tactics. Additionally, the group continues to use its signature naming conventions, including Chimaera, TDGG, and bioset (for C2 operations), confirming that this is a typical TeamTNT campaign.

In this campaign, TeamTNT is also utilizing AnonDNS (Anonymous DNS), a service designed to enhance anonymity and privacy when resolving DNS queries to redirect traffic to their web server.

Cybercriminals Continue to Spread Crypto-Miners

The findings come as researchers shed light on a new campaign that involved a targeted brute-force attack against an unnamed customer to deliver the Prometei crypto-mining botnet.

Prometei spreads in the system by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB), highlighting the threat actor's efforts on setting up persistence, evading security tools, and gaining deeper access to an organization's network through credential dumping and lateral movement.

The affected machines connect to a mining pool server, which can be used to mine cryptocurrencies (Monero) on compromised machines without the victim's knowledge.