Sliver Malware: How It’s Powering a New Era of Illicit Cryptomining

Understanding Sliver Malware’s Rise

Sliver malware, an open-source command-and-control (C2) framework, emerges as a powerful tool among cyber attackers, especially in the realm of cryptomining. The notorious cryptojacking collective known as TeamTNT has started leveraging this adaptable framework to strengthen its campaigns, particularly targeting Docker-based cloud environments.

TeamTNT has been a persistent player in the cybersecurity landscape, and their adoption of Sliver malware highlights their continuous drive to evolve and expand their tactics. This shift from older tools to Sliver allows them to command compromised servers with greater precision, ultimately feeding into their goals of cryptomining and resource monetization.

What Sliver Malware Wants: Powering Cryptomining Operations

The primary goal of Sliver malware in TeamTNT’s campaigns is to take control of cloud servers for unauthorized cryptomining activities, often referred to as cryptojacking. Once Sliver is deployed on a server, it enables attackers to remotely control the device, manage cryptomining scripts, and harness the server’s processing power to mine cryptocurrency without the owner’s knowledge.

One of the main features of Sliver is its ability to execute a range of commands that support this covert cryptomining operation. It allows attackers to initiate, monitor, and terminate mining processes as needed. Moreover, Sliver facilitates additional network communication, enabling TeamTNT to recruit the compromised devices into larger, distributed networks known as Docker Swarms. This allows TeamTNT to orchestrate large-scale mining efforts or rent out server power to third parties through platforms that accept rental income, thereby creating a sustainable revenue model for their operations.

Docker as the Launchpad: How TeamTNT Deploys Sliver

TeamTNT’s Sliver-driven attacks primarily target Docker containers, which are popular within cloud-native environments for their scalability and efficiency. Docker’s open API, which is often accessible if not properly secured, provides an entry point for TeamTNT to inject Sliver malware into the infrastructure. In their latest campaign, TeamTNT scans for exposed Docker API endpoints to locate vulnerable servers and automatically install cryptomining software.

A critical part of this operation involves using Docker Hub as a distribution platform. By hosting compromised Docker images embedded with Sliver malware, TeamTNT can quickly scale its campaign, spreading the malware across numerous environments. Once a container infected with Sliver malware is deployed, it executes a series of scripts that link the device to TeamTNT’s command infrastructure. This infrastructure not only coordinates the mining activity but also makes it difficult for administrators to detect the unauthorized use of resources.

Implications for Businesses: Resource Drain and Security Risks

The use of Sliver malware for cryptojacking brings several implications for businesses, particularly those heavily reliant on cloud infrastructure. First and foremost, cryptojacking can significantly drain computational resources, as cryptomining consumes vast amounts of processing power. For businesses, this may translate to decreased application performance, higher energy costs, and unexpected server downtime, all of which can impact service delivery and customer satisfaction.

Beyond resource consumption, the deployment of Sliver also introduces a complex set of security challenges. Since the malware operates through a command-and-control framework, attackers can exploit it to expand their foothold within a network. This expanded access opens up possibilities for additional malicious activity, such as data theft, lateral movement, or the deployment of other forms of harmful software. Additionally, the ability to remotely control infected servers offers attackers a platform to launch further attacks within or outside the compromised network, amplifying the risk to business integrity and reputation.

How TeamTNT’s Tactics Signal a Changing Threat Landscape

The adoption of Sliver malware reflects a broader trend in cybercrime toward greater adaptability and sophistication. Unlike traditional malware, Sliver’s open-source nature allows threat actors to customize it according to their needs, whether to improve stealth, enhance remote control capabilities, or integrate it with other malware. This adaptability means that Sliver can serve multiple purposes depending on the specific tactics and objectives of a threat actor.

TeamTNT, in particular, demonstrates a high level of operational flexibility. By shifting their approach and adopting new tools like Sliver, they remain resilient and hard to disrupt. Their operations once focused solely on cryptojacking, now incorporate additional revenue streams, such as selling access to compromised servers or offering cryptomining as a service to other attackers. This multi-dimensional approach not only complicates defensive efforts but also indicates a maturation in the business model of illicit cryptomining groups.

Staying Protected Against Sliver Malware and Similar Threats

To protect against threats like Sliver, businesses need to maintain a proactive stance in securing their cloud infrastructure. This includes:

  • Locking Down Docker API Access: Unsecured Docker endpoints are a primary entry point for TeamTNT. Ensuring that Docker’s APIs are securely configured with strong authentication requirements can prevent unauthorized access.
  • Monitoring for Abnormal Activity: Unusual server performance or high CPU usage may signal cryptojacking. By actively monitoring resource utilization, businesses can detect potential cryptojacking activity and investigate further.
  • Regular Vulnerability Scanning: Routine scans can help identify exposed or weak points in cloud environments, allowing businesses to address vulnerabilities before attackers exploit them.

Hence, the rise of Sliver malware illustrates a significant shift in how cryptomining campaigns are conducted. For businesses operating in cloud environments, understanding the tactics and goals of groups like TeamTNT can be crucial in staying resilient against evolving cyber threats. With cloud security and vigilance, companies can better protect their systems from falling victim to illicit cryptomining campaigns and the complex repercussions that accompany them.

By Willa
October 28, 2024
Malware
English
October 28, 2024
Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Malware

IdleBuddy Cryptomining Malware

IdleBuddy is the name of a malicious crypto miner application disguised as a more innocuous app. The description you will see in IdleBuddy's interface tells users that the application is used to "calculate complex... Read more

January 20, 2022
Malware

Novpopen.exe Cryptomining Malware Abuses System Hardware

Novpopen.exe is the name of a malicious tool used by bad actors to mine cryptocurrency while abusing a victim system's hardware. Cryptominers are a subcategory of malware that attempts to keep a low profile on an... Read more

November 4, 2022
Malware

Novpop.exe Cryptomining Malware Will Strain Your Hardware

Novpop.exe is the name of a malicious tool used by hackers to mine cryptocurrency using a victim system's hardware resources. Cryptominers are a type of malware that deploys on a system and then attempts to keep a low... Read more

November 2, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.