Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)
ID: G0139
Associated Groups: 
Version: 1.3
Created: 01 Oct 2021
Last Modified: 16 Sep 2024

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

TeamTNT has added RSA keys in authorized_keys.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)

Enterprise T1583 .001 Acquire Infrastructure: Domains

TeamTNT has obtained domains to host their payloads.(Citation: Palo Alto Black-T October 2020)

Enterprise T1595 .001 Active Scanning: Scanning IP Blocks

TeamTNT has scanned specific lists of target IP addresses.(Citation: Trend Micro TeamTNT)

.002 Active Scanning: Vulnerability Scanning

TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.(Citation: Trend Micro TeamTNT)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TeamTNT has the `curl` command to send credentials over HTTP and the `curl` and `wget` commands to download new software.(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Cisco Talos Intelligence Group) TeamTNT has also used a custom user agent HTTP header in shell scripts.(Citation: Trend Micro TeamTNT)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TeamTNT has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TeamTNT has executed PowerShell commands in batch scripts.(Citation: ATT TeamTNT Chimaera September 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT Chimaera September 2020)

.004 Command and Scripting Interpreter: Unix Shell

TeamTNT has used shell scripts for execution.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)

.009 Command and Scripting Interpreter: Cloud API

TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos TeamTNT)

Enterprise T1136 .001 Create Account: Local Account

TeamTNT has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020)

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

TeamTNT has established persistence through the creation of a cryptocurrency mining system service using systemctl.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)

.003 Create or Modify System Process: Windows Service

TeamTNT has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera September 2020)

Enterprise T1074 .001 Data Staged: Local Data Staging

TeamTNT has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group)

Enterprise T1587 .001 Develop Capabilities: Malware

TeamTNT has developed custom malware such as Hildegard.(Citation: Unit 42 Hildegard Malware)

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

TeamTNT has modified the permissions on binaries with chattr.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)

.004 Impair Defenses: Disable or Modify System Firewall

TeamTNT has disabled iptables.(Citation: Aqua TeamTNT August 2020)

Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

TeamTNT has removed system logs from /var/log/syslog.(Citation: Aqua TeamTNT August 2020)

.003 Indicator Removal: Clear Command History

TeamTNT has cleared command history with history -c.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)

.004 Indicator Removal: File Deletion

TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

TeamTNT has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT)

.013 Obfuscated Files or Information: Encrypted/Encoded File

TeamTNT has encrypted its binaries via AES and encoded files using Base64.(Citation: Trend Micro TeamTNT)(Citation: Aqua TeamTNT August 2020)

Enterprise T1021 .004 Remote Services: SSH

TeamTNT has used SSH to connect back to victim machines.(Citation: Intezer TeamTNT September 2020) TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.(Citation: Cisco Talos Intelligence Group)

Enterprise T1496 .001 Resource Hijacking: Compute Hijacking

TeamTNT has deployed XMRig Docker images to mine cryptocurrency.(Citation: Lacework TeamTNT May 2021)(Citation: Cado Security TeamTNT Worm August 2020) TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.(Citation: Cisco Talos Intelligence Group)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

TeamTNT has searched for security products on infected machines.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)

Enterprise T1608 .001 Stage Capabilities: Upload Malware

TeamTNT has uploaded backdoored Docker images to Docker Hub.(Citation: Lacework TeamTNT May 2021)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TeamTNT has searched for unsecured AWS credentials and Docker API credentials.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)

.004 Unsecured Credentials: Private Keys

TeamTNT has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)

.005 Unsecured Credentials: Cloud Instance Metadata API

TeamTNT has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)

Enterprise T1204 .003 User Execution: Malicious Image

TeamTNT has relied on users to download and execute malicious Docker images.(Citation: Lacework TeamTNT May 2021)

Software

ID Name References Techniques
S0601 Hildegard (Citation: Unit 42 Hildegard Malware) Application Layer Protocol, Private Keys, File Deletion, Container Administration Command, Container and Resource Discovery, Dynamic Linker Hijacking, Network Service Discovery, External Remote Services, Credentials In Files, Software Packing, Masquerade Task or Service, Disable or Modify Tools, System Information Discovery, Web Service, Rootkit, Clear Command History, Remote Access Software, Deobfuscate/Decode Files or Information, Compute Hijacking, Local Account, Ingress Tool Transfer, Cloud Instance Metadata API, Encrypted/Encoded File, Systemd Service, Escape to Host, Exploitation for Privilege Escalation, Unix Shell
S0179 MimiPenguin (Citation: MimiPenguin GitHub May 2017) (Citation: Palo Alto Black-T October 2020) Proc Filesystem
S0683 Peirates (Citation: Peirates GitHub) (Citation: TeamTNT Cloud Enumeration) Container and Resource Discovery, Container Administration Command, Escape to Host, Application Access Token, Data from Cloud Storage, Network Service Discovery, Deploy Container, Container API, Cloud Storage Object Discovery, Cloud Instance Metadata API, Steal Application Access Token, Cloud Accounts
S0349 LaZagne (Citation: ATT TeamTNT Chimaera September 2020) (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.