TeamTNT Botnet Updated to Steal Docker and AWS Credentials

Some apps in /Applications are owned by root, but for reasons unknown to the authors, some non-system apps are owned by the user. Some user-owned apps include Docker, Google Chrome, Visual Studio Code, and iTerm, while Slack, VMWare Fusion, and Wireguard are owned by root. The install of apt within the Service Container is broken in several ways , which may be troublesome if we want to install additional software within the Service Container. The software installed is minimal by-design, and doesn’t have common tools such as curl. The Service Container is used by Docker internally, so it does not show up when the user runs docker ps, docker container ls etc. A backdoored version of runc can be created easily enough by modifying and compiling its open-source code.

Once the infrastructure has been compromised, the bot sets up its own containers to mine Monero cryptocurrency and to scan for additional Docker and Kubernetes servers. Attackers install a number of other malicious tools, as well, including a SSH post-exploitation script called, a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor. TeamTNT’s cryptocurrency mining botnet was first reported in May by MalwareHunterTeam and further analyzed by Trend Micro researchers who discovered its affinity for misconfigured Docker containers. The spreading script works by looking for further accessible networks based on the output of the _ip route_ command. The _pnscan_ tool finds active SSH services on the network before attempting authentication using any keys already found on the network.

TeamTNT’s Tweet about managing a group of 12 programmersTeamTNT’s Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them. THREATTTPsTOOLSThreat actor group, TeamTNT, compromised multiple cloud instances and containerized environments. So, heading to the next section of i had $370 riddle this tutorial on what is a botnet, you will learn how to protect yourself from a botnet attack. First discovered in 2016, 3ve was a different type of Botnet that did not steal data or money and instead generated fake clicks on online advertisements hosted by fake websites. This financial Trojan accounted for 90% of all global online bank fraud instances at their peak.

Cado Security continues to see a rise in attackers developing tools and techniques specifically targeting cloud and container environments. It is important organisations remain vigilant and continue to adapt to these new threats. In December, the team at TrendMicro analysed the payload of an ongoing TeamTNT attack and shared that its updated code contained an IRC bot which its authors named ‘TNTbotinger’. Further analysis by the Lacework team indicated that TNTbotinger was malware known as ‘Ziggy StarTux’, which is a variant of Kaiten.

Because we are running in a special container used by Docker internally, , the container does not show up when the user runs docker ps, docker container ls etc. There is no configuration option for enabling/disabling gRPC file sharing within the config file, only within the UI. We cannot interact with the UI, but we can disable gRPC file sharing by disabling the feature flag controlling it in $HOME/Library/Group\ Containers/ Still, if we want to access even more directories on the host, we can, by editing the Filesystem Sharing option in Docker’s config file.

As a legitimate use case, a user might want to authenticate their DockerHub repository to create containers based on the images in their private repository. Developers often need their Docker containers to be able to access their local files and network, so Docker Desktop has features which allow this, bypassing the need to escape the VM. Because malware running in the VM has the same privileges as Docker containers, we’re not exploiting vulnerabilities in software when we access the host machine’s files and network – we’re just using features of Docker Desktop. The bot herder can direct every bot to carry out a coordinated illegal action from a single central location. A botnet can have several bots and thus allows the attacker to carry out large-scale attacks. Infected devices can acquire updates and modify their behavior easily and quickly since a remote attacker controls them.

This binary was chosen because it already exists on the host, runs automatically while Docker is running, and already receives a lot of network traffic from containers. However, we have an extra stealth advantage, in that our traffic is not attributable to a particular process. Docker Desktop sends all traffic from all containers via the com.docker.vpnkit process, which is always running on the user’s machine. Our traffic then blends in with the traffic from all the other containers running.

This process is the virtual machine process, and it will already be running if the user is running Docker Desktop. The process list looks the same, whether or not we run in the VM. Misconfigured Docker daemons are a well-known security issue that have been around for years, and attackers continue to take advantage. Attackers seem to acknowledge this and, in response, design their malware to identify rival counterparts and stop them, so that they will be the only malware in the system. In cases where organisations must enable the API ports, Trend Micro recommends that companies deploy firewalls. Alfredo Oliveira, a senior security researcher at Trend Micro, says that TeamTNT has now also added a feature.

Similar Posts