TeamTNT
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
TeamTNT has added RSA keys in |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
TeamTNT has obtained domains to host their payloads.(Citation: Palo Alto Black-T October 2020) |
Enterprise | T1595 | .001 | Active Scanning: Scanning IP Blocks |
TeamTNT has scanned specific lists of target IP addresses.(Citation: Trend Micro TeamTNT) |
.002 | Active Scanning: Vulnerability Scanning |
TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.(Citation: Trend Micro TeamTNT) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
TeamTNT has the `curl` command to send credentials over HTTP and the `curl` and `wget` commands to download new software.(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Cisco Talos Intelligence Group) TeamTNT has also used a custom user agent HTTP header in shell scripts.(Citation: Trend Micro TeamTNT) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
TeamTNT has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
TeamTNT has executed PowerShell commands in batch scripts.(Citation: ATT TeamTNT Chimaera September 2020) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT Chimaera September 2020) |
||
.004 | Command and Scripting Interpreter: Unix Shell |
TeamTNT has used shell scripts for execution.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group) |
||
.009 | Command and Scripting Interpreter: Cloud API |
TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos TeamTNT) |
||
Enterprise | T1136 | .001 | Create Account: Local Account |
TeamTNT has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020) |
Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
TeamTNT has established persistence through the creation of a cryptocurrency mining system service using |
.003 | Create or Modify System Process: Windows Service |
TeamTNT has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera September 2020) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
TeamTNT has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group) |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
TeamTNT has developed custom malware such as Hildegard.(Citation: Unit 42 Hildegard Malware) |
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
TeamTNT has modified the permissions on binaries with |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group) |
.004 | Impair Defenses: Disable or Modify System Firewall |
TeamTNT has disabled |
||
Enterprise | T1070 | .002 | Indicator Removal: Clear Linux or Mac System Logs |
TeamTNT has removed system logs from |
.003 | Indicator Removal: Clear Command History |
TeamTNT has cleared command history with |
||
.004 | Indicator Removal: File Deletion |
TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group) |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
TeamTNT has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
TeamTNT has encrypted its binaries via AES and encoded files using Base64.(Citation: Trend Micro TeamTNT)(Citation: Aqua TeamTNT August 2020) |
||
Enterprise | T1021 | .004 | Remote Services: SSH |
TeamTNT has used SSH to connect back to victim machines.(Citation: Intezer TeamTNT September 2020) TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.(Citation: Cisco Talos Intelligence Group) |
Enterprise | T1496 | .001 | Resource Hijacking: Compute Hijacking |
TeamTNT has deployed XMRig Docker images to mine cryptocurrency.(Citation: Lacework TeamTNT May 2021)(Citation: Cado Security TeamTNT Worm August 2020) TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.(Citation: Cisco Talos Intelligence Group) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
TeamTNT has searched for security products on infected machines.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
TeamTNT has uploaded backdoored Docker images to Docker Hub.(Citation: Lacework TeamTNT May 2021) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
TeamTNT has searched for unsecured AWS credentials and Docker API credentials.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group) |
.004 | Unsecured Credentials: Private Keys |
TeamTNT has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT) |
||
.005 | Unsecured Credentials: Cloud Instance Metadata API |
TeamTNT has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group) |
||
Enterprise | T1204 | .003 | User Execution: Malicious Image |
TeamTNT has relied on users to download and execute malicious Docker images.(Citation: Lacework TeamTNT May 2021) |
References
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
- Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
- Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024.
- Nathaniel Quist. (2021, June 4). TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations. Retrieved February 8, 2022.
- Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.
- Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
- Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.