TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]

ID: G0139
Contributors: Will Thomas, Cyjax
Version: 1.1
Created: 01 October 2021
Last Modified: 14 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

TeamTNT has added RSA keys in authorized_keys.[8]

Enterprise T1583 .001 Acquire Infrastructure: Domains

TeamTNT has obtained domains to host their payloads.[1]

Enterprise T1595 .001 Active Scanning: Scanning IP Blocks

TeamTNT has scanned specific lists of target IP addresses.[6]

.002 Active Scanning: Vulnerability Scanning

TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.[6]

Enterprise T1071 Application Layer Protocol

TeamTNT has used an IRC bot for C2 communications.[6]

.001 Web Protocols

TeamTNT has the curl command to send credentials over HTTP and download new software.[3][4] TeamTNT has also used a custom user agent HTTP header in shell scripts.[6]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TeamTNT has added batch scripts to the startup folder.[7]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TeamTNT has executed PowerShell commands in batch scripts.[7]

.003 Command and Scripting Interpreter: Windows Command Shell

TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.[7]

.004 Command and Scripting Interpreter: Unix Shell

TeamTNT has used shell scripts for execution.[6]

Enterprise T1609 Container Administration Command

TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.[5]

Enterprise T1613 Container and Resource Discovery

TeamTNT has checked for running containers with docker ps and for specific container names with docker inspect.[6]

Enterprise T1136 .001 Create Account: Local Account

TeamTNT has created local privileged users on victim machines.[3]

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

TeamTNT has established persistence through the creation of a cryptocurrency mining system service.[6]

.003 Create or Modify System Process: Windows Service

TeamTNT uses malware that adds cryptocurrency miners as a service.[7]

Enterprise T1610 Deploy Container

TeamTNT has deployed different types of containers into victim environments to facilitate execution.[3][6]

Enterprise T1587 .001 Develop Capabilities: Malware

TeamTNT has developed custom malware such as Hildegard.[5]

Enterprise T1611 Escape to Host

TeamTNT has deployed privileged containers that mount the filesystem of victim machine.[3][8]

Enterprise T1133 External Remote Services

TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.[3] TeamTNT has also targeted exposed kubelets for Kubernetes environments.[5]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

TeamTNT has modified the permissions on binaries with chattr.[6]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TeamTNT has disabled and uninstalled security tools.[7]

.004 Impair Defenses: Disable or Modify System Firewall

TeamTNT has disabled iptables.[8]

Enterprise T1070 .002 Indicator Removal on Host: Clear Linux or Mac System Logs

TeamTNT has removed system logs from /var/log/syslog.[8]

.003 Indicator Removal on Host: Clear Command History

TeamTNT has cleared command history with history -c.[6]

.004 Indicator Removal on Host: File Deletion

TeamTNT uses a payload that removes itself after running.[7]

Enterprise T1105 Ingress Tool Transfer

TeamTNT has the curl command and batch scripts to download new tools.[3]

Enterprise T1046 Network Service Discovery

TeamTNT has used masscan to search for open Docker API ports.[4][5] TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.[1]

Enterprise T1027 Obfuscated Files or Information

TeamTNT has encrypted its binaries via AES.[6] TeamTNT has also encoded files using Base64.[8]

.002 Software Packing

TeamTNT has used UPX and Ezuri packer to pack its binaries.[6]

Enterprise T1057 Process Discovery

TeamTNT searches for rival malware and removes them if found.[6]

Enterprise T1219 Remote Access Software

TeamTNT has established tmate sessions for C2 communications.[5]

Enterprise T1021 .004 Remote Services: SSH

TeamTNT has used SSH to connect back to victim machines.[3]

Enterprise T1496 Resource Hijacking

TeamTNT has deployed XMRig Docker images to mine cryptocurrency.[2][4]

Enterprise T1014 Rootkit

TeamTNT has used the open-source rootkit Diamorphine to hide cryptocurrency mining activities on the machine.[6]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

TeamTNT has searched for security products on infected machines.[7]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

TeamTNT has uploaded backdoored Docker images to Docker Hub.[2]

Enterprise T1082 System Information Discovery

TeamTNT has searched for system version and architecture information.[7]

Enterprise T1016 System Network Configuration Discovery

TeamTNT looks for the host machine’s IP address.[6]

Enterprise T1049 System Network Connections Discovery

TeamTNT runs netstat -anp to search for rival malware connections.[6] TeamTNT has also used libprocesshider to modify /etc/ld.so.preload.[7]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TeamTNT has searched for unsecured AWS credentials and Docker API credentials.[4][6]

.004 Unsecured Credentials: Private Keys

TeamTNT has searched for unsecured SSH keys.[4][6]

.005 Unsecured Credentials: Cloud Instance Metadata API

TeamTNT has queried the AWS instance metadata service for credentials.[6]

Enterprise T1204 .003 User Execution: Malicious Image

TeamTNT relies on users to download and execute malicious Docker images.[2]

Enterprise T1102 Web Service

TeamTNT has leveraged iplogger.org to send collected data back to C2.[8]

Software

ID Name References Techniques
S0601 Hildegard [5] Application Layer Protocol, Command and Scripting Interpreter: Unix Shell, Container Administration Command, Container and Resource Discovery, Create Account: Local Account, Create or Modify System Process: Systemd Service, Deobfuscate/Decode Files or Information, Escape to Host, Exploitation for Privilege Escalation, External Remote Services, Hijack Execution Flow: Dynamic Linker Hijacking, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Clear Command History, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Network Service Discovery, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Remote Access Software, Resource Hijacking, Rootkit, System Information Discovery, Unsecured Credentials: Cloud Instance Metadata API, Unsecured Credentials: Private Keys, Unsecured Credentials: Credentials In Files, Web Service
S0349 LaZagne [7] Credentials from Password Stores: Keychain, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files
S0179 MimiPenguin [1] OS Credential Dumping: Proc Filesystem
S0683 Peirates [10] Cloud Storage Object Discovery, Container Administration Command, Container and Resource Discovery, Data from Cloud Storage Object, Deploy Container, Escape to Host, Network Service Discovery, Steal Application Access Token, Unsecured Credentials: Container API, Unsecured Credentials: Cloud Instance Metadata API, Use Alternate Authentication Material: Application Access Token, Valid Accounts: Cloud Accounts

References