Cryptojacker Targets Exposed Docker Daemon APIs

Black-T Malware Favors Targeting AWS credential files

A new malware variant dubbed Black-T developed by the hacker group TeamTnT targets exposed Docker daemon APIs to perform scanning and cryptojacking operations, according to researchers at Palo Alto Unit 42.

See Also: Live Webinar | App Defined, Autonomous and Delivered from the Cloud


TeamTnT is a cloud-focused cryptojacking group that often targets AWS credential files on compromised cloud systems to mine for Monero. The researchers found that Black-T includes features not found in the group’s earlier malware, including “targeting and stopping of previously unknown cryptojacking worms - the Crux worm, ntpd miner and a redis-backup miner,” the researchers note.

Black-T also features memory password scraping using mimipy and mimipenguins, which are *NIX equivalents to the commonly used Windows-specific memory password scraper functionality of Mimikatz, Unit 42 reports.

“Any identified passwords which were obtained through mimipenguins are then exfiltrated to a TeamTnT command and control node. This is the first time TeamTnT actors have been witnessed including this type of post-exploitation operation,” the researchers state.

The Attack Method

In Black-T attacks, TeamTnT’s first step is to identify and exploit an exposed Docker daemon API, which enables the group to drop malware onto the victim’s system. The malware then displays an ASCII art banner stating the malware’s name.

Next, the script preps the system by searching for and removing any competing cryptojacking malware operating on the network.

The Black-T code can remove or evade Alyun and Tencent cloud security software. It contains AWS credential-stealing features and the ability to scan for ports using the network scanners masscan, pnscan and zgrab.

TeamTnT uses these scanners to identify additional exposed Docker daemon APIs on the local network and across any connected networks to help expand the cryptojacking operation.

“They are using the little-known zgrab, which is a GoLang tool, used to capture address banners. It is currently unclear how TeamTnT actors will use this data, but it is highly likely the actors are giving zgrab a trial run to test the scanner’s functionality for their operations,” the report says.

After all these steps are completed, monero mining malware is downloaded and sends mined currency to a pre-set digital currency address.

TeamTnT Recent Operations

Last month, TeamTNT was weaponizing Weave Scope, a legitimate cloud monitoring tool, to help install cryptojackers in cloud environments. The hacking group, which security researchers first spotted in May, uses botnets to help install cryptojackers in vulnerable or unprotected Docker containers as well as Kubernetes instances. In August, researchers found the hackers were stealing Amazon Web Services credentials (see: Cryptojacking Botnet Steals AWS Credentials).

The group leveraged Weave Scope - an open-source cloud monitoring tool from Weave Works that integrates with Docker, Kubernetes and Amazon Web Services Elastic Compute Cloud - to gain access to these platforms and install malicious code, the reports note.

Cryptojackers Still Digging

Other new cryptojacking campaigns have emerged in recent months. For example, in June, Unit 42 June discovered a cryptojacking campaign that used malicious Docker images to hide cryptocurrency mining code (see: Hackers Used Malicious Docker Images to Mine Monero).

Also in June, Microsoft’s Azure Security Center warned about a hacking campaign targeting the Kubeflow platform on Kubernetes, which then uses the XMRig cryptominer to mine for monero (see: Kubeflow Targeted in XMRig Monero Cryptojacking Campaign).