Category: Adversary Intelligence	Industry: IT & Technology	Region: Global	Source: A2

Executive Summary

THREAT	TTPs	TOOLS
Threat actor group, TeamTNT, compromised multiple cloud instances and containerized environments. Target list includes Docker, Redis server, AWS, and Kubernetes.	Reconnaissance Credential Stealing Installing backdoors, rootkits stealer, botnets, and miners Maintain access and moving laterally Cryptojacking	Network/ Port scanning tools Malicious Binaries Packers and Crypters Credential Stealers PWN Remote Services

Analysis and Attribution

History

• TeamTNT goes by the Twitter handle “@HildeTnT / HildeGard@TeamTNT”
• During their attack period, the group was very active on Twitter, posting and discussing:
  • Attacks conducted
  • Servers compromised
  • Tools employed
• The group most likely originates from Germany because:
  • Most of the tweets and bash scripts are in the German language.
  • The account’s location is set to Deutschland.
  • Comments in the bash scripts contain words from the German language.

Information from OSINT

• The following Tweet made on the group’s official account, suggests that it is a collective of 12 individuals (or more if they hired new people in late 2020).

[caption id="attachment_20458" align="aligncenter" width="1198"] TeamTNT’s Tweet about managing a group of 12 programmers[/caption]  

• TeamTNT’s Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them.
• The following domain was used by the group to host their malicious files and scripts while performing the attack: https://teamtnt[.]red.
• CloudSEK researchers were able to gather the following information about the domain:
  • Domain was registered on 10 February 2020
  • During the same time TeamTNT had begun to actively target Redis servers
  • Domain is currently inactive
  • Some screenshots of the domain are still available on Wayback Machine

Timeline of TeamTNT

[caption id="attachment_20459" align="alignnone" width="2048"] Event Timeline of TeamTNT[/caption]  

Redis Attacks (February 2020)

• The group has been active since February 2020 when they launched their first campaign targeting Redis servers.

[caption id="attachment_20460" align="aligncenter" width="2048"] Attack flow for targeting the Redis server[/caption]  

• The motive behind the attack was cryptojacking and the following tools were used:
  • pnscan - An open-source parallel network scanner, used to scan the whole internet and look for the services listening on the default Redis port (port: 6379). The setup script generates the payload that is executed on the Redis servers.
  • Tsunami - An open-source botnet, aslo known as titan or ziggystartux, used to perform DDoS attacks against targets or to execute commands on the infected machine.
  • xmrigCC - A tool used for mining crypto.
  • watchdog.c - A type of monitoring tool used in Linux for monitoring the mining process.
  • Punk.py - A post-exploitation tool meant to help network pivot from a compromised Unix box. This tool collects usernames, SSH keys, as well as known hosts from a Unix systemt and then tries to connect via SSH to all the combinations found.

[caption id="attachment_20461" align="alignnone" width="2048"] Detailed breakdown of the setup script used in Redis campaign[/caption]  

Docker Attacks (May 2020)

• In May 2020, the group started targeting Docker by employing the same Bash scripts and malware.
• The group’s primary motive remained the same, i.e cryptojacking.
• A new tool was added to their arsenal:
  • masscan - A TCP port scanner used to find misconfigured Docker services by scanning exposed ports and services. Once a victim is located, using masscan and zgrab, the attacker creates a container using Alpine image and passes an argument to the script which downloads and executes other malicious scripts.

[caption id="attachment_20462" align="alignnone" width="2048"] Targeting Docker Instances using a Bash script[/caption]

Improvised Docker Attacks (August 2020)

• The group continued their attacks on Docker however they started using the Ubuntu images directly instead of Alpine.
• The group started using a Linux Kernel Module (LKM) rootkit named Diamorphine to hide their activities on infected machines.
• AWS credential-stealing capabilities were added into their scripts.

Weavescope Attacks (September 2020)

• TeamTNT added started exploiting Weavescope for troubleshooting and leveraging it as a backdoor for the following:
  • Gaining full access to the victim’s cloud environment
  • Monitoring Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS)
  • Running shell commands
• The group began using two new tools to steal credentials from browser history and network connections:
  • Mimipy
  • Mimipenguin
• The group also began using a simple Linux ELF runtime crypter, ezuri, to encrypt their malware for evading detection.

Kubernetes Attacks (January 2021)

• Lacework Labs released a report on Tsunami (the bot used by TeamTNT) mentioning the following details:
  • Only 90 of the 200 connected bots were detected with unique IP addresses from the previous scripts.
  • Some of the bots behind a NAT service were sharing the same external IP address.
  • Majority of the affected computers were Asian cloud instances hosted primarily by Tencent, Alibaba, and AWS.
• During this period, the group stopped attacking Redis instances and started targeting Kubernetes.
• Three new tools were being employed by the group:
  • Peirates - An open-source Kubernetes Penetration Testing tool
  • Botb - An open-source tool for container analysis and exploitation for Kubernetes
  • libprocesshider - An open-source tool that uses the ID preloader to hide a process under Linux.

Increased Credential Stealing Capabilities (June 2021)

• The group’s target list remained the same but they expanded their credential-stealing capabilities, to the following services and applications.

AWS	Shodan	PostgreSQL
S3 buckets	GCP	SMB
Docker	ngrok	Hexchat
SSH	MoneroGuiWallet	Filezilla
Davfs2	GitHub

• They added the plugin of AWS CLI in their script to exfiltrate maximum information about the instance inclduing resources, instance, roles, volumes, etc.

Chimaera Campaign (July 2021)

• On 25 July 2021, TeamTNT launched a campaign named “Chimaera” where they continued their attacks on Docker, Kubernetes, and Weavescope services.
• To maintain transparency, the group created a dashboard on their website that displayed campaign statistics.

[caption id="attachment_20463" align="alignnone" width="845"] Chimaera campaign dashboard to display statistics on the website[/caption]

• The group significantly improved their enumeration technique by adding over 70 unique AWS CLI commands designed to enumerate the following 7 AWS services:
  • IAM configuration
  • EC2 instances
  • S3 buckets
  • Support cases
  • Direct connection
  • CloudTrail
  • CloudFormation
• They also started employing LaZagne, another open-source application, to enhance their credential-stealing capabilities.

Techniques, Tactics & Procedures (TTPs)

[caption id="attachment_20464" align="alignnone" width="1677"] TTPs employed by TeamTNT[/caption]   TeamTNT essentially employed the same strategies across all of its campaigns, however they did it by making the following adjustments to their methods:

• Account manipulation by adding their own SSH authorized_keys on compromised servers.
• Installing a scanner to scan the entire internal network for lateral movements.
• Using process monitoring tools to restart processes.
• Using scripts to install all sorts of tools, malware, and miner.
• Packing binaries to evade normal security checks .
• Using obfuscation and encodings in bash scripts and while communicating through C2 servers.
• Using kernel-level rootkits to hide their process.
• Deploying own containers for attacks and mining.
• Using data stealing cloud service credentials.
• Resource hijacking and deploying XMRig Docker images to mine cryptocurrency.

Tools & Exploits

TeamTNT employed mostly open-source tools and depended heavily on bash scripts to manage all the tools. The table below contain the list of tools used by them for conducting their activities.

Tools & Exploits
Network & Port Scanning Tools	Packers & Crypters
Pnscan masscan zgrab	Ezuri UPX
Malicious Binaries	Credential Stealer
Tsunami (IRC bot malware) xmrigCC Diamorphine Libprocesshide rathole	Punk.py LaZagne Mimipy Mimipenguin
CPWN Remote Services (Redis, Docker, Kubernetes)
Mostly they used custom scripts to pwn the services like Redis, Kubernetes Peirates Botb Docker Escape Tool (CVE-2019-5736)

Indicators of Compromise (IoCs)

SHA256
setup.sh	b5ba2c86ebf85cbf700c83d7edc034717d7ee08e84fbae440a38139c15ef7a27
watchdogd(32-bit)	69fea980538a12ac0791f0801fc93d8b4d16e8329793d635221a16f935e8ca07
XMRig Miner(32-bit)	4256402fc04e49f3da8d1bf88efdcca6a3b03f4b881777d2c32a8df364cececd
bioset	da43ed194729f82db68b1d91a17cea6afde8ae81357116c35c4c129888a836bf
config.json	285e91d3d578fcaf6665c70de457f602d572203b04c281c03b4bf9103aa5f61f
do.sh	9c29d4ecf6a60e7bfc0afbaa7a669a18af163440730711367d1c715042b5f755
watchdogd(64-bit)	fdf26ebad48da26be59b5784f43d1e5ee2efa93c59a717fe2ae1d82bf3f016d3
XMRig Miner(62-bit)	b6f57f8a7fba70d6660335828d2a14029c88079a8176dca2c63281a759fd84ca
log.c	59aa2101b05225dd0eb7e7b456eb26357540723e3c1d8a10deca83e9715a10fb
full-cleanup	6a1221fc82b2bf13dc8112795d3edfb7bab8df7a9d4af69b89da4ac31e0e87e5
narrenkappe.sh	a25a73af06c43a20eb9f4f8b67357cec3c74143ccf97ce666446296a360d93fa
punk.py	a66140870d0a71c7bd42b7631e4a85858e6b33e4a21be637b94d41833dee8383
s_poor.ssh.sh	1eead4f456ed8741d1de821e2fcecb026c1cbbf3477786cc3e637eac05811f46
whois2.irc.sh	795a3d99c1e8e34a6228d95c4435c5ed7c866dc0e303f9788ea6fe055b1a7ac6
whois.irc	205db0ef59cad167c6132916f8f7a1d1963e740b36400419b2e5ba307e9f765c
dns3	07377cac8687a4cde6e29bc00314c265c7ad71a6919de91f689b58efe07770b0
init.sh (the second script)	5c488d9d6820f859cde5fb5d147cfe584a603152653d12e720b897df60c6f810
clean.sh	6b8d828511b479e3278264eff68059f03b3b8011f9a6daaeff2af06b13ba6090
mxutzh.sh	8926672fe6ab2f9229a72e344fcb64a880a40db20f9a71ba0d92def9c14497b6
setup.mytoys.sh	b60be03a7305946a5b1e2d22aa4f8e3fc93a55e1d7637bebb58bf2de19a6cf4a
setup.xmrig.curl.sh	bebaac2a2b1d72aa189c98d00f4988b24c72f72ae9348c49f62d16b433b05332
sysinfo	3c907087ec77fc1678011f753ddf4531a484009f3c64563d96eff0edea0dcd29
portainer	b49a3f3cb4c70014e2c35c880d47bc475584b87b7dfcfa6d7341d42a16ebe443
tt.sh	2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172
aws.sh	8cedd6187439f73675b076d70647ee117ec3a4184a5045499a6172ae6e6c2c39
grab_aws-data.sh	a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
init.sh	4e059d74e599757226f93ea8ddcfb794d4bcda605f0e553fbbef47b8b7c82d2b
search.sh	ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35
setup_moneroocean_miner.sh	5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b
Domain / IPv4
Exfiltration server	123.56.193[.]119
Miner CC	54.203.159[.]179
C2	80.211.206[.]105 164.68.106[.]96 62.234.121[.]105
Hosting malicious scripts and binaries	85..214.149[.]236 45.9.148[.]108 5.9.148[.]35
domain/email	teamtnt[.]red chimaera[.]cc hilde@teamtnt[.]red
Wallets/Keys
Wallets	88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQr Nz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k 84dg9MjSkFvXkqHQuBr6ep6TfhR3pTP8DRyTMN5s8RgYMVRc nce7Day8edLkk3TqAaSHXu2N4W3A3XjKMaSx4X8Q3KQgZnh 46EPFzvnX5GH61ejkPpNcRNm8kVjs8oHS9VwCkKRCrJX27XE W2y1NPLfSa54DGHxqnKfzDUVW1jzBfekk3hrCVCmAUrFd3H
ssh-rsa (key)	AAAAB3NzaC1yc2EAAAADAQABAAABAQDIzB9hz7bNT6qtQK CMcitaaxEB9RyJEZuumE+gUMrh6hg3ccSMg9qnAlS/Lmw5Sw wLJQXMB5WuhclPJsVawuP+pfsm1ZiGF2JnczEW5kBw1o5Fl/ 6WOV1p9MOaXHAbpi7o/5Zauu3lTktyIWuP5R9l/2pUWcFZInn aiOr1KNtCBPisNYbZ4FWAQVGwXzUWZ/ZE7SYIoOUm3EJihP PiTulegUmIzc7TzrnEn9M3U8K+LVFye+wDeSC3WNYwfjGQJA 4aFsANOiz89olh77G7IaDR8LghNfVVkRjaJ6onDZwb2CZWSiv kFsdYtL6690S407eqoes7wkJudo9Qxsn9wxNv

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• TeamTNT Cryptomining Explosion 🧨 - Intezer
• TeamTNT Builds Botnet from Chinese Cloud Servers - Lacework
• Cetus: Cryptojacking Worm Targeting Docker Daemons
• Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials

Appendix

[caption id="attachment_20465" align="alignnone" width="1167"] Example of TeamTNT using German language on social media[/caption]   [caption id="attachment_20466" align="alignnone" width="2048"] GitHub Repositories of the TeamTNT group[/caption]   [caption id="attachment_20467" align="alignnone" width="1095"] DNS script used by TeamTNT during the attack campaign of docker instances[/caption]   [caption id="attachment_20468" align="alignnone" width="2048"] Hosted a script to pwn Kubernetes clusters[/caption]   [caption id="attachment_20469" align="alignnone" width="2048"] Wallet info used by TeamTnT[/caption]   [caption id="attachment_20470" align="alignnone" width="2048"] TeamTNT’s official announcement of quitting their operations[/caption]   [caption id="attachment_20471" align="alignnone" width="640"] Setup script that creates a shell script for the hiding process.[/caption]   [caption id="attachment_20472" align="alignnone" width="622"] SSH credential stealing module[/caption]   Download and installation script for miner [caption id="attachment_20474" align="aligncenter" width="874"] TeamTNT used some buzz covid-19 keywords in their scripts (At the time of Campaign Covid19 was at its peak )[/caption] [caption id="attachment_20475" align="alignnone" width="964"] Setup script for Diamorphine[/caption]   [caption id="attachment_20476" align="alignnone" width="1150"] Script of mxutzh.sh[/caption]   [caption id="attachment_20477" align="alignnone" width="1114"] Code snippet which infects Docker servers with containers to mine Monero[/caption]   [caption id="attachment_20478" align="alignnone" width="1150"] Addition in the script to steal more credentials[/caption]