The Uptycs Threat Research Team spotted a campaign in which the TeamTNT threat actors deployed a malicious container image on Docker hub.
The Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a malicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and masscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the scanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s subnet and perform further malicious activities.
Criminal groups continue to target Docker Hub, GitHub, and other shared repositories with container images and software components that include malicious scripts and tools. They often aim to spread coinminer malware, hijacking the computing resources of victims to mine cryptocurrency.
In this post, we will detail the technical analysis of the malicious components deployed by the TeamTNT threat actor.
Alpineos profile – Responsible Disclosure
The malicious Docker image was hosted in Docker Hub under the handle name alpineos, a community user who joined Docker Hub on May 26, 2021. At the time of this writing, alpineos profile was hosting 25 Docker images (See Figure 1).
Figure 1: Alpineos Docker hub handle
The Dockerapi image which we analysed had 5,400 downloads within approximately two weeks of being added. Another Docker image from the repository, ‘basicxmr’ has been downloaded more than 100,000 times. This clearly suggests that the profile is actively developing malicious images.
The Uptycs Threat Research Team reported the Docker image hosted in the Docker Hub website to ..
Support the originator by clicking the read the rest link below.