TeamTNT
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. [1][2][3][4][5][6][7][8][9]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys | |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains | |
| Enterprise | T1595 | .001 | Active Scanning: Scanning IP Blocks |
TeamTNT has scanned specific lists of target IP addresses.[6] |
| .002 | Active Scanning: Vulnerability Scanning |
TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.[6] |
||
| Enterprise | T1071 | Application Layer Protocol | ||
| .001 | Web Protocols |
TeamTNT has the curl command to send credentials over HTTP and download new software.[3][4] TeamTNT has also used a custom user agent HTTP header in shell scripts.[6] |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
TeamTNT has executed PowerShell commands in batch scripts.[7] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.[7] |
||
| .004 | Command and Scripting Interpreter: Unix Shell | |||
| Enterprise | T1609 | Container Administration Command |
TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.[5] |
|
| Enterprise | T1613 | Container and Resource Discovery |
TeamTNT has checked for running containers with |
|
| Enterprise | T1136 | .001 | Create Account: Local Account |
TeamTNT has created local privileged users on victim machines.[3] |
| Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
TeamTNT has established persistence through the creation of a cryptocurrency mining system service.[6] |
| .003 | Create or Modify System Process: Windows Service |
TeamTNT uses malware that adds cryptocurrency miners as a service.[7] |
||
| Enterprise | T1610 | Deploy Container |
TeamTNT has deployed different types of containers into victim environments to facilitate execution.[3][6] |
|
| Enterprise | T1587 | .001 | Develop Capabilities: Malware | |
| Enterprise | T1611 | Escape to Host |
TeamTNT has deployed privileged containers that mount the filesystem of victim machine.[3][8] |
|
| Enterprise | T1133 | External Remote Services |
TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.[3] TeamTNT has also targeted exposed kubelets for Kubernetes environments.[5] |
|
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
TeamTNT has modified the permissions on binaries with |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools | |
| .004 | Impair Defenses: Disable or Modify System Firewall | |||
| Enterprise | T1070 | .002 | Indicator Removal on Host: Clear Linux or Mac System Logs | |
| .003 | Indicator Removal on Host: Clear Command History | |||
| .004 | Indicator Removal on Host: File Deletion |
TeamTNT uses a payload that removes itself after running.[7] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
TeamTNT has the curl command and batch scripts to download new tools.[3] |
|
| Enterprise | T1046 | Network Service Scanning |
TeamTNT has used masscan to search for open Docker API ports.[4][5] TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
TeamTNT has encrypted its binaries via AES.[6] TeamTNT has also encoded files using Base64.[8] |
|
| .002 | Software Packing |
TeamTNT has used UPX and Ezuri packer to pack its binaries.[6] |
||
| Enterprise | T1057 | Process Discovery |
TeamTNT searches for rival malware and removes them if found.[6] |
|
| Enterprise | T1219 | Remote Access Software |
TeamTNT has established tmate sessions for C2 communications.[5] |
|
| Enterprise | T1021 | .004 | Remote Services: SSH | |
| Enterprise | T1496 | Resource Hijacking |
TeamTNT has deployed XMRig Docker images to mine cryptocurrency.[2][4] |
|
| Enterprise | T1014 | Rootkit |
TeamTNT has used the open-source rootkit Diamorphine to hide cryptocurrency mining activities on the machine.[6] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
TeamTNT has searched for security products on infected machines.[7] |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
TeamTNT has uploaded backdoored Docker images to Docker Hub.[2] |
| Enterprise | T1082 | System Information Discovery |
TeamTNT has searched for system version and architecture information.[7] |
|
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1049 | System Network Connections Discovery |
TeamTNT runs |
|
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
TeamTNT has searched for unsecured AWS credentials and Docker API credentials.[4][6] |
| .004 | Unsecured Credentials: Private Keys | |||
| .005 | Unsecured Credentials: Cloud Instance Metadata API |
TeamTNT has queried the AWS instance metadata service for credentials.[6] |
||
| Enterprise | T1204 | .003 | User Execution: Malicious Image |
TeamTNT relies on users to download and execute malicious Docker images.[2] |
| Enterprise | T1102 | Web Service |
TeamTNT has leveraged iplogger.org to send collected data back to C2.[8] |
|
Software
References
- Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.
- Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021.
- Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
- Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
- Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
- Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021.