The Uptycs Threat Research Team spotted a campaign in which the TeamTNT threat actors deployed a malicious container image on Docker hub.
The Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a malicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and masscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the scanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s subnet and perform further malicious activities.
Criminal groups continue to target Docker Hub, GitHub, and other shared repositories with container images and software components that include malicious scripts and tools. They often aim to spread coinminer malware, hijacking the computing resources of victims to mine cryptocurrency.
In this post, we will detail the technical analysis of the malicious components deployed by the TeamTNT threat actor.
Alpineos profile – Responsible Disclosure
The malicious Docker image was hosted in Docker Hub under the handle name alpineos, a community user who joined Docker Hub on May 26, 2021. At the time of this writing, alpineos profile was hosting 25 Docker images (See Figure 1).
Figure 1: Alpineos Docker hub handle
The Dockerapi image which we analysed had 5,400 downloads within approximately two weeks of being added. Another Docker image from the repository, ‘basicxmr’ has been downloaded more than 100,000 times. This clearly suggests that the profile is actively developing malicious images.
The Uptycs Threat Research Team reported the Docker image hosted in the Docker Hub website to the security team on September, 30 2021.
TeamTNT threat actor
TeamTNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. Threat actors associated with TeamTNT mostly use open-source tools in their campaigns, such as XMrig miner, Tsunami IRC bot (a.k.a kaiten) and the diamorphine rootkit.
The Attack kill chain
The attack kill chain we observed TeamTNT using is shown below (see Figure 2).
Figure 2: TeamTNT attack life cycle
The different stages of the attack kill chain depicted above are as follows:
- Using the monero-ocean shell script, TeamTNT/Hilde deployed a new malicious Docker image named Dockerapi which was hosted on Docker hub website.
- Using Docker, the malicious image was run with the privilege flag, and was mounted with the victim host and victim host’s network configuration.
- The malicious Docker image had an embedded shell script named ‘pause’.
- The ‘pause’ shell script inside the malicious Docker image had commands to install masscanner and the zgrab tool.
- After setting up the scanning tools, the functions in the ‘pause’ script start scanning rigorously in the victim subnet on Docker related ports for more target virtual machines (nodes). A node is a part of Docker swarm. A Docker swarm is a group of physical or virtual machines (nodes) operating in a cluster.
- Once the target node is found as a result of the Docker-related port scan in the victim subnet, the pause shell script runs the misconfigured alpine Docker image remotely (from the victim machine) in the target node, passing a base64 command as command line. The command:
- Generates the ssh keys and adds it to authorized_keys file.
- Logs into the target node’s host via ssh and downloads the monero-ocean shell script from the C2 (teamtnt[.]red) into the target node’s host.
- The monero-ocean shell script in this campaign later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on.
- The monero-ocean shell script also downloads another shell script (diamorphine shell script) which downloads and deploys the diamorphine rootkit to the victim’s system.
- The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid.
The monero-ocean shell script (c21d1e12fea803793b39225aee33fe68b3184fff384b1914e0712e10630e523e) used as initial vector had the following command to deploy alpineos/Dockerapi Docker image onto the victim system (see Figure 3)
Figure 3: Command to deploy Dockerapi container image
The command shown above runs the Dockerapi image with the following:
- –privilege flag
- –net flag to have host’s network configuration inside container
- /host mounted inside container image
Using the command Docker ps, we can identify the malicious Docker image runs pause shell script (see Figure 4).
Figure 4: Dockerapi image runs pause shell script
The pause shell script inside Docker image installs basic utilities and the scanning tools Zgrab and masscan (see Figure 5).
Figure 5: Initial setup done by pause shell script
Upon installation of these tools, commands inside the pause shell script start heavy scanning on Docker related ports in an attempt to target more nodes (machines) in the victim subnet (see Figures 6,7).
Figure 6: Docker related scanned ports in the victim subnet
Figure 7: Masscan and Zgrab commands used for scanning
Masscan and zgrab
Masscan and zgrab scanning commands are used in the Docker container image for scanning and banner grabbing. The functionality of these commands is listed below.
masscan 184.108.40.206/8 -p2377 –rate 50000
The masscan works much like nmap utility which is used for scanning target IPs. In this case masscan scans with a rate of 50,000 pks/sec which is a huge rate against the port 2377.
zgrab –senders 200 –port 2377 –http=/v1.16/version –output-file=-2>dev/null
The zgrab tool is used for vulnerability scanning and part of the zmap project. In this case the attacker used zgrab with 200 send coroutines (threads) for banner grabbing and saving the IP addresses with target opened ports in an output file.
Alpine Docker image deployment
As a result of scanning, once the target node is found, the command inside pause shell script performs the following:
- Remotely runs the alpine Docker image with full privilege and host mounted on the target node.
- Uses a base64 encoded command which adds newly generated ssh keys to authorized_keys file.
- Using the same command, logs into the target node’s host with ssh and downloads the monero-ocean shell script in the target host (see Figures 8,9).
Figure 8: base64 encoded command passed with misconfigured alpine image
Figure 9: Decoded base64 – Monero-ocean shell script getting downloaded and executed
Xmrig miner, IRC bot and DiaMorphine Rootkit
The monero-ocean shell script later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on (see Figures 10 and 11).
Figure 10: command to download XMrig miner
Figure 11: command to download IRC bot
The IRC bot in the victim machine communicates with attacker C2 over port 8080 (see Figure 12).
Figure 12: IRC communication on port 8080
Alongside this, the monero-ocean shell script also contained the command to download diamorphine rootkit shell script (see Figure 13).
Figure 13: command to download diamorphine shell script
The diamorphine shell script (418d1ea67110b176cd6200b6ec66048df6284c6f2a0c175e9109d8e576a6f7ab) deploys the diamorphine rootkit in the victim system (see Figure 14).
Figure 14: Diamorphine Rootkit getting compiled and deployed
The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid (see Figures 15 and 16).
Figure 15: cr0 WP bit modification for syscall table hooking
Figure 16: Hooked syscalls (getdents and kill)
Uptycs EDR detections
The Uptycs EDR armed with YARA process scanning detected the malware components involved in this campaign with a threat score of 10/10 (see Figure 17,18,19). In addition, Uptycs offers the following abilities to secure your container deployments:
- Uptycs integrates with CI/CD tools so that developers can initiate image scans at build time to detect malicious container images before they are deployed to production.
- Uptycs continuously monitors and reports on compliance with the CIS Benchmark for Docker to identify misconfigurations that attackers can exploit, and offer remediation guidance so that your team can quickly fix those issues.
Figure 17: Uptycs EDR detection
Figure 18: masscan command captured by the Uptycs EDR
Figure 19: zgrab command captured by the Uptycs EDR
Docker containers have become an integral part of the organisations. A lot of services nowadays run in isolated Docker containers. The threat actors on the other side are also trying to deploy malicious components to escape Docker containers and target host machines and the other nodes connected in a subnet and its swarm. Hence, to maintain a robust security stance, it is crucial to be able to detect malicious images early in the CI/CD pipeline as well as monitor all the container activities in runtime.
The EDR capabilities of Uptycs empowers security teams to detect, investigate attacks in their Docker infrastructure.
Credits: Thanks to Uptycs Threat Research Team members for their inputs and research.
About the author: Siddharth Sharma
Indicators of Compromise (IoCs) are reported in the original post available at
(SecurityAffairs – hacking, cyber security)