Security Researchers Uncover Evidence of TeamTNT Activity Resurfacing
Recent findings by security researchers have shed light on the reemergence of TeamTNT activity in 2023, contradicting the prevailing belief that the group had disbanded in 2022.
The Legacy of TeamTNT
TeamTNT gained notoriety as a prominent threat actor specializing in cryptojacking attacks, a method that exploits victims’ IT resources to mine cryptocurrency illicitly.
Originating in the German-speaking region in 2019, the group garnered attention for crafting its own malware using an extensive toolkit comprising shell scripts and malicious binaries, as highlighted by Group-IB.
Targeting vulnerable public instances of Redis, Kubernetes, and Docker, TeamTNT’s modus operandi involved pilfering credentials and implanting backdoors as part of their cryptojacking endeavors.
Resurgence of TeamTNT Tactics
Group-IB’s latest report unveiled a resurgence of TeamTNT’s tactics, techniques, and procedures (TTPs) in recent campaigns extending back to the previous year.
According to the report released yesterday, Group-IB’s Digital Forensics and Incident Response (DFIR) team uncovered a new campaign affecting VPS cloud infrastructures running on CentOS operating systems.
The initial breach occurred through a Secure Shell (SSH) brute force attack, during which the threat actor uploaded a malevolent script. This script, upon execution, scans for signs of prior compromise by examining logs generated by other miners.
Furthermore, the malicious script tampers with security settings, eliminates logs, and alters system files. It terminates any cryptocurrency mining processes, eradicates Docker containers, and updates DNS configurations to Google’s servers.
Advanced Techniques Employed by TeamTNT
Group-IB highlighted that the script deploys the “Diamorphine” rootkit to gain stealth and root privileges, along with custom tools to sustain persistence and control.
By modifying file attributes, establishing a backdoor user with root access, and erasing command history to obfuscate its actions, TeamTNT showcases its adeptness at automating attacks and meticulously considering every detail from initial access to thwarting recovery efforts.
The comprehensive analysis underscores TeamTNT’s proficiency in inflicting substantial harm on victims through a well-orchestrated assault.