TeamTNT Deploys Malicious Docker Image On Docker Hub

The Uptycs Threat Research Team spotted a campaign in which the TeamTNT threat actors deployed a malicious container image on Docker hub.

The Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a malicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and masscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the scanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s subnet and perform further malicious activities.

Criminal groups continue to target Docker Hub, GitHub, and other shared repositories with container images and software components that include malicious scripts and tools. They often aim to spread coinminer malware, hijacking the computing resources of victims to mine cryptocurrency.

In this post, we will detail the technical analysis of the malicious components deployed by the TeamTNT threat actor.

 

Alpineos profile – Responsible Disclosure

The malicious Docker image was hosted in Docker Hub under the handle name alpineos, a community user who joined Docker Hub on May 26, 2021. At the time of this writing, alpineos profile was hosting 25 Docker images (See Figure 1).

Figure 1: Alpineos Docker hub handle

The Dockerapi image which we analysed had 5,400 downloads within approximately two weeks of being added. Another Docker image from the repository, ‘basicxmr’ has been downloaded more than 100,000 times. This clearly suggests that the profile is actively developing malicious images. 

The Uptycs Threat Research Team reported the Docker image hosted in the Docker Hub website to the security team on September, 30 2021.

TeamTNT threat actor

TeamTNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. Threat actors associated with TeamTNT mostly use open-source tools in their campaigns, such as XMrig miner, Tsunami IRC bot (a.k.a kaiten) and the diamorphine rootkit.

 

The Attack kill chain

The attack kill chain we observed TeamTNT using is shown below (see Figure 2).

teamtnt 2

Figure 2: TeamTNT attack life cycle

The different stages of the attack kill chain depicted above are as follows:

  • Using the monero-ocean shell script, TeamTNT/Hilde deployed a new malicious Docker image named Dockerapi which was hosted on Docker hub website. 
  • Using Docker, the malicious image was run with the privilege flag, and was mounted with the victim host and victim host’s network configuration. 
  • The malicious Docker image had an embedded shell script named ‘pause’.
  • The ‘pause’ shell script inside the malicious Docker image had commands to install masscanner and the zgrab tool.
  • After setting up the scanning tools, the functions in the ‘pause’ script start scanning rigorously in the victim subnet on Docker related ports for more target virtual machines (nodes). A node is a part of Docker swarm. A Docker swarm is a group of physical or virtual machines (nodes) operating in a cluster. 
  • Once the target node is found as a result of the Docker-related port scan in the victim subnet, the pause shell script runs the misconfigured alpine Docker image remotely (from the victim machine) in the target node, passing a base64 command as command line. The command:
  1. Generates the ssh keys and adds it to authorized_keys file.
  2. Logs into the target node’s host via ssh and downloads the monero-ocean shell script from the C2 (teamtnt[.]red) into the target node’s host.
  • The monero-ocean shell script in this campaign later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on.
  • The monero-ocean shell script also downloads another shell script (diamorphine shell script) which downloads and deploys the diamorphine rootkit to the victim’s system.
  • The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid.

 

Technical Analysis

The monero-ocean shell script (c21d1e12fea803793b39225aee33fe68b3184fff384b1914e0712e10630e523e) used as initial vector had the following command to deploy alpineos/Dockerapi Docker image onto the victim system (see Figure 3)

Dpqp3i2uw7Tp0XsLvJ19XAAMerL1 sEAEXb5ph GgUTrl wl9EIYYtYXL2svHmqq7KXuhdk1iNirB9QLbdrNTDIMpv8igM16ta93FJMgk2r Tc0Pz1qe uOA3JX qmyG1RRdPt09=s0

Figure 3: Command to deploy Dockerapi container image

The command shown above runs the Dockerapi image with the following:

  • –privilege flag
  • –net flag to have host’s network configuration inside container
  • /host mounted inside container image

Using the command Docker ps, we can identify the malicious Docker image runs pause shell script (see Figure 4).

asg52KuQtdPl 1ysXHF16ko0iXoNRvnZclvzAmnqC3ADqNFMsDSjSZJV kX O307VDTHKuBj20JMqJLgeU2qfN2QNTtqURzVSg2vdTGjC05Cwdgmjpl332w8jDtvgmeBd k2XQh=s0

Figure 4: Dockerapi image runs pause shell script 

The pause shell script inside Docker image installs basic utilities and the scanning tools Zgrab and masscan (see Figure 5).

bakha7vBF2Ic ilDDwwL lu5Xn7NciDd s7O8ks63HvrnSXe3DZpXK ELuZW8bJNyPUbKQV IQ5fcFtx3l48fHj3xyRWBEdJqq0Z1FHGZx9FQx u0N81POY69k DAh16wzjrumUV=s0

Figure 5: Initial setup done by pause shell script 

Upon installation of these tools, commands inside the pause shell script start heavy scanning on Docker related ports in an attempt to target more nodes (machines) in the victim subnet (see Figures 6,7).

Figure 6: Docker related scanned ports in the victim subnet

16Oxsuy0zpXQmP3Ed8 s8jTzxOyMY6 OOgxCdbwzsv5 uhocW GJCmYgvLPO RorhiXKlD9JtjZGHXO4CJfuh8CpDY4GlH CaaKN3IQQf05I0u4GEFn91rkGjb 62lvANzbl6X4p=s0

Figure 7: Masscan and Zgrab commands used for scanning

Masscan and zgrab

Masscan and zgrab scanning commands are used in the Docker container image for scanning and banner grabbing. The functionality of these commands is listed below.

masscan 1.0.0.0/8 -p2377 –rate 50000

The masscan works much like nmap utility which is used for scanning target IPs. In this case masscan scans with a rate of 50,000 pks/sec which is a huge rate against the port 2377.

zgrab –senders 200 –port 2377 –http=/v1.16/version –output-file=-2>dev/null

The zgrab tool is used for vulnerability scanning and part of the zmap project. In this case the attacker used zgrab with 200 send coroutines (threads) for banner grabbing and saving the IP addresses with target opened ports in an output file.

Alpine Docker image deployment

As a result of scanning, once the target node is found, the command inside pause shell script performs the following:

  1. Remotely runs the alpine Docker image with full privilege and host mounted on the target node.
  2. Uses a base64 encoded command which adds newly generated ssh keys to authorized_keys file. 
  3. Using the same command, logs into the target node’s host with ssh and downloads the monero-ocean shell script in the target host (see Figures 8,9).
sjbJZWIQcbD9Xrsa0iZ3Kq0XxbgiY7ADUhb8eBX1Syq XrOM x3GZJ6chlXfv2siDCF9Ue C8Fjv7pd

Figure 8: base64 encoded command passed with misconfigured alpine image

Hya z5ZPAzIZqE2QZ7vx6CwQgW1P4yeWPhRl16OsRszatD MM830loDXQLrn fIwhOfKI4si7dXLJyp0hDJDArsScnitifwusa9h9PSsjKdFeRDplI 9qKn5vuzLdQqRnmNPt3tT=s0

Figure 9: Decoded base64 – Monero-ocean shell script getting downloaded and executed

Xmrig miner, IRC bot and DiaMorphine Rootkit

The monero-ocean shell script later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on (see Figures 10 and 11).

9vbr3xCo2gW4xJPArq7OAcJJpvzYyL IaRsP0Awl0mJc3VgUtgK6ZlKTO3n6t3zyM QGbLT1 6nqcagYm7wdNH0qNhiX6tagc1w0LXbFo0lSFPxwdc7S8QWRnyFr1FhNaHm5mRr =s0

Figure 10: command to download XMrig miner

JLbCEfWOV9PJnoWlIwISwr8IgM9oVjju2MHNX22f9XQmxPdB 4 XYdxAJhB5u4HW8mT4lPGn0Pt7LYrgJjbhixrbCyg3MbIaRuBV W6xnf7WcZoy90 LlN0OMVwwDkvGVui1wG l=s0

Figure 11: command to download IRC bot

The IRC bot in the victim machine communicates with attacker C2 over port 8080 (see Figure 12). 

3y17VX4GaQUtuuerhTDPbGpZiDHgYRASJKEDS88E4X8R HqahqwNh7A1 UHwwNGoH7NWiAyA4NJifPgWCBKLf0Q1FS xhbt5dVmFwwcNvls

Figure 12: IRC communication on port 8080

Alongside this, the monero-ocean shell script also contained the command to download diamorphine rootkit shell script (see Figure 13).

ap524gz6s8tHpInyHgzQznPCFfCzL L2MJXTIoyAjWJ ugsa1KLj1O1wEDBaN4AL7E0o3HBG9OnrQoQ6rOd9UFSV2rCmNJtk2O 2eSDJGKaevwHTeyj4iY0vlz7gIZ4qLfKiKj6=s0

Figure 13: command to download diamorphine shell script

The diamorphine shell script (418d1ea67110b176cd6200b6ec66048df6284c6f2a0c175e9109d8e576a6f7ab) deploys the diamorphine rootkit in the victim system (see Figure 14).

9qJfDGqn7kIQpUIHJ1usA LPejnl8w6GxGpxaQt3o XsVog29 bqhFYxMaH Hdi1SxziuYhhfrtq7GUKVORz7Uf03oBZgGGInDNjgQolkQ81

Figure 14: Diamorphine Rootkit getting compiled and deployed 

The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid (see Figures 15 and 16).

BK8bnNK670l O72cBaSZSOPoZmbLzgf5N8QtdXlpLr9Tvgk0VkYYi28u8kazwhyyr51XyI0voUVinsBjBfzBDHwJEF5 ESW EKVm1wSIATnk N2GhEHj8

Figure 15: cr0 WP bit modification for syscall table hooking

PsBWaPS5s3aIzGOWjNAMt3kSus0jAxW6YO2nWEGPMDxpnV9sPSelaTHPfmcGGauGkMFOTgdTvlavmK2CHDOaId598ac5tdekfsY8WKnmC039DFlm9jw6WDiX1s2hE

Figure 16: Hooked syscalls (getdents and kill)

Uptycs EDR detections

The Uptycs EDR armed with YARA process scanning detected the malware components involved in this campaign with a threat score of 10/10 (see Figure 17,18,19). In addition, Uptycs offers the following abilities to secure your container deployments: 

  • Uptycs integrates with CI/CD tools so that developers can initiate image scans at build time to detect malicious container images before they are deployed to production. 
  • Uptycs continuously monitors and reports on compliance with the CIS Benchmark for Docker to identify misconfigurations that attackers can exploit, and offer remediation guidance so that your team can quickly fix those issues.
G8vCMnB5fmcUE2ZphIUgb2i8ztJTFftKwzv1np5YvNyK6oI kNNw g3C3Qw A9flzYGu5UAsZq605RGhFAr0aFDmdL9oF

Figure 17: Uptycs EDR detection

WYwan4d6nJ8FbncaE8JdEsbB W

Figure 18: masscan command captured by the Uptycs EDR

bAqC54pv5YmrvWOZx32Tf6ci5lZ38pH9GvTiaEm7hcGYjj7AsG8 D PT5GphCX38HtVYJN4pVML01 TmCyV2t7pD9kAArIYc 7ymPwveEpE TRWW iTebv7h1dJif5Y1Avb93088=s0

Figure 19: zgrab command captured by the Uptycs EDR

Conclusion

Docker containers have become an integral part of the organisations. A lot of services nowadays run in isolated Docker containers. The threat actors on the other side are also trying to deploy malicious components to escape Docker containers and target host machines and the other nodes connected in a subnet and its swarm. Hence, to maintain a robust security stance, it is crucial to be able to detect malicious images early in the CI/CD pipeline as well as monitor all the container activities in runtime. 

The EDR capabilities of Uptycs empowers security teams to detect, investigate attacks in their Docker infrastructure.

Credits: Thanks to Uptycs Threat Research Team members for their inputs and research.

About the author: Siddharth Sharma

Indicators of Compromise (IoCs) are reported in the original post available at

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post TeamTNT Deploys Malicious Docker Image On Docker Hub appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source