TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.^[1]^[2]^[3]^[4]^[5]^[6]^[7]^[8]^[9]

ID: G0139

Contributors: Will Thomas, Cyjax; Darin Smith, Cisco

Version: 1.3

Created: 01 October 2021

Last Modified: 16 September 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1014		Rootkit	TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.^[6] ^[10]
Enterprise	T1595	.001	主动扫描: Scanning IP Blocks	TeamTNT has scanned specific lists of target IP addresses.^[6]
		.002	主动扫描: Vulnerability Scanning	TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.^[6]
Enterprise	T1036		伪装	TeamTNT has disguised their scripts with docker-related file names.^[10]
		.005	Match Legitimate Name or Location	TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.^[10]
Enterprise	T1543	.002	创建或修改系统进程: Systemd Service	TeamTNT has established persistence through the creation of a cryptocurrency mining system service using `systemctl`.^[6]^[10]
		.003	创建或修改系统进程: Windows Service	TeamTNT has used malware that adds cryptocurrency miners as a service.^[7]
Enterprise	T1136	.001	创建账户: Local Account	TeamTNT has created local privileged users on victim machines.^[3]
Enterprise	T1140		反混淆/解码文件或信息	TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.^[10]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	TeamTNT has added batch scripts to the startup folder.^[7]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	TeamTNT has executed PowerShell commands in batch scripts.^[7]
		.003	命令与脚本解释器: Windows Command Shell	TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.^[7]
		.004	命令与脚本解释器: Unix Shell	TeamTNT has used shell scripts for execution.^[6]^[10]
		.009	命令与脚本解释器: Cloud API	TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.^[11]
Enterprise	T1120		外围设备发现	TeamTNT has searched for attached VGA devices using lspci.^[10]
Enterprise	T1133		外部远程服务	TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.^[3]^[10] TeamTNT has also targeted exposed kubelets for Kubernetes environments.^[5]
Enterprise	T1562	.001	妨碍防御: Disable or Modify Tools	TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.^[7]^[10]
		.004	妨碍防御: Disable or Modify System Firewall	TeamTNT has disabled `iptables`.^[8]
Enterprise	T1613		容器与资源发现	TeamTNT has checked for running containers with `docker ps` and for specific container names with `docker inspect`.^[6] TeamTNT has also searched for Kubernetes pods running in a local network.^[10]
Enterprise	T1609		容器管理命令	TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.^[5]
Enterprise	T1071		应用层协议	TeamTNT has used an IRC bot for C2 communications.^[6]
		.001	Web Protocols	TeamTNT has the `curl` command to send credentials over HTTP and the `curl` and `wget` commands to download new software.^[3]^[4]^[10] TeamTNT has also used a custom user agent HTTP header in shell scripts.^[6]
Enterprise	T1587	.001	开发能力: Malware	TeamTNT has developed custom malware such as Hildegard.^[5]
Enterprise	T1074	.001	数据分段: Local Data Staging	TeamTNT has aggregated collected credentials in text files before exfiltrating.^[10]
Enterprise	T1083		文件和目录发现	TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS.^[10]
Enterprise	T1222	.002	文件和目录权限修改: Linux and Mac File and Directory Permissions Modification	TeamTNT has modified the permissions on binaries with `chattr`.^[6]^[10]
Enterprise	T1608	.001	暂存能力: Upload Malware	TeamTNT has uploaded backdoored Docker images to Docker Hub.^[2]
Enterprise	T1048		替代协议渗出	TeamTNT has sent locally staged files with collected credentials to C2 servers using cURL.^[10]
Enterprise	T1552	.001	未加密凭证: Credentials In Files	TeamTNT has searched for unsecured AWS credentials and Docker API credentials.^[4]^[6]^[10]
		.004	未加密凭证: Private Keys	TeamTNT has searched for unsecured SSH keys.^[4]^[6]
		.005	未加密凭证: Cloud Instance Metadata API	TeamTNT has queried the AWS instance metadata service for credentials.^[6]^[10]
Enterprise	T1027	.002	混淆文件或信息: Software Packing	TeamTNT has used UPX and Ezuri packer to pack its binaries.^[6]
		.013	混淆文件或信息: Encrypted/Encoded File	TeamTNT has encrypted its binaries via AES and encoded files using Base64.^[6]^[8]
Enterprise	T1204	.003	用户执行: Malicious Image	TeamTNT has relied on users to download and execute malicious Docker images.^[2]
Enterprise	T1070	.002	移除指标: Clear Linux or Mac System Logs	TeamTNT has removed system logs from `/var/log/syslog`.^[8]
		.003	移除指标: Clear Command History	TeamTNT has cleared command history with `history -c`.^[6]^[10]
		.004	移除指标: File Deletion	TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.^[7]^[10]
Enterprise	T1082		系统信息发现	TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.^[7]^[10]
Enterprise	T1569		系统服务	TeamTNT has created system services to execute cryptocurrency mining software.^[10]
Enterprise	T1007		系统服务发现	TeamTNT has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them.^[10]
Enterprise	T1049		系统网络连接发现	TeamTNT has run `netstat -anp` to search for rival malware connections.^[6] TeamTNT has also used `libprocesshider` to modify `/etc/ld.so.preload`.^[7]
Enterprise	T1016		系统网络配置发现	TeamTNT has enumerated the host machine’s IP address.^[6]
Enterprise	T1102		网络服务	TeamTNT has leveraged iplogger.org to send collected data back to C2.^[8]^[10]
Enterprise	T1046		网络服务发现	TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters.^[4]^[5]^[10] TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.^[1]
Enterprise	T1583	.001	获取基础设施: Domains	TeamTNT has obtained domains to host their payloads.^[1]
Enterprise	T1098	.004	账号操控: SSH Authorized Keys	TeamTNT has added RSA keys in `authorized_keys`.^[8]^[10]
Enterprise	T1496	.001	资源劫持: Compute Hijacking	TeamTNT has deployed XMRig Docker images to mine cryptocurrency.^[2]^[4] TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.^[10]
Enterprise	T1518	.001	软件发现: Security Software Discovery	TeamTNT has searched for security products on infected machines.^[7]^[10]
Enterprise	T1105		输入工具传输	TeamTNT has the `curl` and `wget` commands as well as batch scripts to download new tools.^[3]^[10]
Enterprise	T1057		进程发现	TeamTNT has searched for rival malware and removes it if found.^[6] TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.^[10]
Enterprise	T1021	.004	远程服务: SSH	TeamTNT has used SSH to connect back to victim machines.^[3] TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.^[10]
Enterprise	T1219		远程访问软件	TeamTNT has established tmate sessions for C2 communications.^[5]^[10]
Enterprise	T1611		逃逸至主机	TeamTNT has deployed privileged containers that mount the filesystem of victim machine.^[3]^[8]
Enterprise	T1610		部署容器	TeamTNT has deployed different types of containers into victim environments to facilitate execution.^[3]^[6] TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.^[10]

Software

ID	Name	References	Techniques
S0601	Hildegard	^[5]	Rootkit, 伪装: Masquerade Task or Service, 创建或修改系统进程: Systemd Service, 创建账户: Local Account, 劫持执行流: Dynamic Linker Hijacking, 反混淆/解码文件或信息, 命令与脚本解释器: Unix Shell, 外部远程服务, 妨碍防御: Disable or Modify Tools, 容器与资源发现, 容器管理命令, 应用层协议, 未加密凭证: Private Keys, 未加密凭证: Credentials In Files, 未加密凭证: Cloud Instance Metadata API, 权限提升漏洞利用, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 移除指标: Clear Command History, 系统信息发现, 网络服务, 网络服务发现, 资源劫持: Compute Hijacking, 输入工具传输, 远程访问软件, 逃逸至主机
S0349	LaZagne	^[7]	从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0179	MimiPenguin	^[1]	操作系统凭证转储: Proc Filesystem
S0683	Peirates	^[12]	云存储对象发现, 从云存储获取数据, 使用备用认证材料: Application Access Token, 容器与资源发现, 容器管理命令, 有效账户: Cloud Accounts, 未加密凭证: Container API, 未加密凭证: Cloud Instance Metadata API, 窃取应用访问令牌, 网络服务发现, 逃逸至主机, 部署容器

References

Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.
Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024.
Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.

TeamTNT

Enterprise Layer

Techniques Used

Software

References