Researchers have linked the botnet to a cybercrime operation known as TNTGroup, earlier published in Cyberthrone in Augest 2020. installing cryptocurrency-mining malware on misconfigured container platforms.

Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company’s other IT systems to infect even more servers and deploy more crypto-miners.

Trend Micro researchers said that the TeamTNT gang’s malware code had received considerable updates since it was first spotted last summer.

Compared to past similar attacks, the development technique was much more refined for this script.TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.

“There were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.”

This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.

In addition to docker authentication implementation, companies should make sure Docker management APIs aren’t exposed online in the first place, even when using strong passwords. Deploy firewalls for opening API ports and allow list