TeamTNT has launched a new large-scale campaign targeting cloud services for cryptocurrency mining. Using compromised servers, attackers not only mine cryptocurrency, but also lease resources to third parties.
TeamTNT focuses on open Docker services to distribute malware, including Sliver and cryptominers, through Docker Hub accounts to reach more servers. An investigation by Aqua Security revealed the use of the Docker infrastructure for automated threat propagation, including the introduction of malware via bulk port scanning tools. Datadog reported that TeamTNT is also bringing the attacked Docker services into the Docker Swarm network, which expands their illegal infrastructure. Instead of Tsunami, the group uses the new Sliver framework to gain remote control over infected machines.
TeamTNT is well known in cyberspace for its ability to quickly adapt to new illegal mining technologies. The organization first drew attention to itself when it attacked cloud infrastructure to steal computing resources. Their actions included scanning available Docker APIs and introducing malicious containers to mask their operations and optimize resources.