Pierluigi Paganini
October 18, 2021
The Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a malicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and masscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the scanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s subnet and perform further malicious activities.
Criminal groups continue to target Docker Hub, GitHub, and other shared repositories with container images and software components that include malicious scripts and tools. They often aim to spread coinminer malware, hijacking the computing resources of victims to mine cryptocurrency.
In this post, we will detail the technical analysis of the malicious components deployed by the TeamTNT threat actor.
The malicious Docker image was hosted in Docker Hub under the handle name alpineos, a community user who joined Docker Hub on May 26, 2021. At the time of this writing, alpineos profile was hosting 25 Docker images (See Figure 1).
Figure 1: Alpineos Docker hub handle
The Dockerapi image which we analysed had 5,400 downloads within approximately two weeks of being added. Another Docker image from the repository, ‘basicxmr’ has been downloaded more than 100,000 times. This clearly suggests that the profile is actively developing malicious images.
The Uptycs Threat Research Team reported the Docker image hosted in the Docker Hub website to the security team on September, 30 2021.
TeamTNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. Threat actors associated with TeamTNT mostly use open-source tools in their campaigns, such as XMrig miner, Tsunami IRC bot (a.k.a kaiten) and the diamorphine rootkit.
The attack kill chain we observed TeamTNT using is shown below (see Figure 2).
Figure 2: TeamTNT attack life cycle
The different stages of the attack kill chain depicted above are as follows:
The monero-ocean shell script (c21d1e12fea803793b39225aee33fe68b3184fff384b1914e0712e10630e523e) used as initial vector had the following command to deploy alpineos/Dockerapi Docker image onto the victim system (see Figure 3)
Figure 3: Command to deploy Dockerapi container image
The command shown above runs the Dockerapi image with the following:
Using the command Docker ps, we can identify the malicious Docker image runs pause shell script (see Figure 4).
Figure 4: Dockerapi image runs pause shell script
The pause shell script inside Docker image installs basic utilities and the scanning tools Zgrab and masscan (see Figure 5).
Figure 5: Initial setup done by pause shell script
Upon installation of these tools, commands inside the pause shell script start heavy scanning on Docker related ports in an attempt to target more nodes (machines) in the victim subnet (see Figures 6,7).
Figure 6: Docker related scanned ports in the victim subnet
Figure 7: Masscan and Zgrab commands used for scanning
Masscan and zgrab scanning commands are used in the Docker container image for scanning and banner grabbing. The functionality of these commands is listed below.
The masscan works much like nmap utility which is used for scanning target IPs. In this case masscan scans with a rate of 50,000 pks/sec which is a huge rate against the port 2377.
The zgrab tool is used for vulnerability scanning and part of the zmap project. In this case the attacker used zgrab with 200 send coroutines (threads) for banner grabbing and saving the IP addresses with target opened ports in an output file.
As a result of scanning, once the target node is found, the command inside pause shell script performs the following:
Figure 8: base64 encoded command passed with misconfigured alpine image
Figure 9: Decoded base64 – Monero-ocean shell script getting downloaded and executed
The monero-ocean shell script later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on (see Figures 10 and 11).
Figure 10: command to download XMrig miner
Figure 11: command to download IRC bot
The IRC bot in the victim machine communicates with attacker C2 over port 8080 (see Figure 12).
Figure 12: IRC communication on port 8080
Alongside this, the monero-ocean shell script also contained the command to download diamorphine rootkit shell script (see Figure 13).
Figure 13: command to download diamorphine shell script
The diamorphine shell script (418d1ea67110b176cd6200b6ec66048df6284c6f2a0c175e9109d8e576a6f7ab) deploys the diamorphine rootkit in the victim system (see Figure 14).
Figure 14: Diamorphine Rootkit getting compiled and deployed
The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid (see Figures 15 and 16).
Figure 15: cr0 WP bit modification for syscall table hooking
Figure 16: Hooked syscalls (getdents and kill)
The Uptycs EDR armed with YARA process scanning detected the malware components involved in this campaign with a threat score of 10/10 (see Figure 17,18,19). In addition, Uptycs offers the following abilities to secure your container deployments:
Figure 17: Uptycs EDR detection
Figure 18: masscan command captured by the Uptycs EDR
Figure 19: zgrab command captured by the Uptycs EDR
Conclusion
Docker containers have become an integral part of the organisations. A lot of services nowadays run in isolated Docker containers. The threat actors on the other side are also trying to deploy malicious components to escape Docker containers and target host machines and the other nodes connected in a subnet and its swarm. Hence, to maintain a robust security stance, it is crucial to be able to detect malicious images early in the CI/CD pipeline as well as monitor all the container activities in runtime.
The EDR capabilities of Uptycs empowers security teams to detect, investigate attacks in their Docker infrastructure.
Credits: Thanks to Uptycs Threat Research Team members for their inputs and research.
About the author: Siddharth Sharma
Indicators of Compromise (IoCs) are reported in the original post available at
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, cyber security)
[adrotate banner=”5″]
[adrotate banner=”13″]
