TREND MICRO INC. In particular, there is a difference in the way masscan is being used. There are also a few commented sections, indicating that the threat actors were moving ahead, testing their tools and arsenal.
Notably, the IP address 45[.]9[.]148[.]182 has a history of being associated with TeamTNT's infrastructure, as it has been used by multiple domains:
- dl.chimaera[.]cc
- githb[.]net (inactive)
- github-support[.]com (inactive)
- irc.borg[.]wtf
- irc.chimaera[.]cc
- irc.teamtnt[.]red
Our July 2021 research into TeamTNT showed that the group previously used credential stealers that would rake in credentials from configuration files. This could be how TeamTNT gained the information it used for the compromised sites in this attack.
Based on the scripts being executed and the tooling being used to deliver coinminers, we arrive at the following conclusions connecting this attack to TeamTNT:
- "alpineos" (with a total of more than 150,000 pulls with all images combined) is one of the primary Docker Hub accounts being actively used by TeamTNT
- There are compromised Docker Hub accounts that are being controlled by TeamTNT to spread coinmining malware.
We have already reached out to Docker and are awaiting their next course of action. In an upcoming blog, we take a look into the attack techniques being used by the threat actor.
Conclusion
Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for. This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives.
Indicators of Compromise
| Type | Identifier/Hash |
| Shell script | 79ed63686c8c46ea8219d67924aa858344d8b9ea191bf821d26b5ae653e555d9 |
| Shell script | 497c5535cdc283079363b43b4a380aefea9deb1d0b372472499fcdcc58c53fef |
| Shell script | a68cbfa56e04eaf75c9c8177e81a68282b0729f7c0babc826db7b46176bdf222 |
| Domain | teamtnt[.]red |
| IP address | 45.9[.]148.182 |
Attachments
- Original document
- Permalink
Disclaimer
Trend Micro Inc. published this content on 09 November 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 09 November 2021 13:23:20 UTC.
