IT & Technology
Threat actor group, TeamTNT, compromised multiple cloud instances and containerized environments.
Target list includes Docker, Redis server, AWS, and Kubernetes.
Installing backdoors, rootkits stealer, botnets, and miners
Maintain access and moving laterally
Network/ Port scanning tools
Packers and Crypters
PWN Remote Services
Analysis and Attribution
TeamTNT goes by the Twitter handle “@
HildeTnT / HildeGard@TeamTNT” During their attack period, the group was very active on Twitter, posting and discussing:
The group most likely originates from Germany because:
Most of the tweets and bash scripts are in the
German language. The account’s location is set to
Deutschland. Comments in the bash scripts contain words from the
Information from OSINT
The following Tweet made on the group’s official account, suggests that it is a collective of 12 individuals (or more if they hired new people in late 2020).
TeamTNT’s Tweet about managing a group of 12 programmers
Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them. The following domain was used by the group to host their malicious files and scripts while performing the attack:
https://teamtnt[.]red. CloudSEK researchers were able to gather the following information about the domain:
Domain was registered on 10 February 2020
During the same time TeamTNT had begun to actively target Redis servers
Domain is currently inactive
Some screenshots of the domain are still available on
Timeline of TeamTNT
Event Timeline of TeamTNT
Redis Attacks (February 2020)
The group has been active since February 2020 when they launched their first campaign targeting Redis servers.
Attack flow for targeting the Redis server
The motive behind the attack was cryptojacking and the following tools were used:
pnscan – An open-source parallel network scanner, used to scan the whole internet and look for the services listening on the default Redis port (port: 6379). The setup script generates the payload that is executed on the Redis servers.
Tsunami – An open-source botnet, aslo known as titan or ziggystartux, used to perform DDoS attacks against targets or to execute commands on the infected machine.
xmrigCC – A tool used for mining crypto.
watchdog.c – A type of monitoring tool used in Linux for monitoring the mining process.
Punk.py – A post-exploitation tool meant to help network pivot from a compromised Unix box. This tool collects usernames, SSH keys, as well as known hosts from a Unix systemt and then tries to connect via SSH to all the combinations found.
Detailed breakdown of the setup script used in Redis campaign
Docker Attacks (May 2020)
In May 2020, the group started targeting Docker by employing the same Bash scripts and malware.
The group’s primary motive remained the same, i.e cryptojacking.
A new tool was added to their arsenal:
masscan – A TCP port scanner used to find misconfigured Docker services by scanning exposed ports and services. Once a victim is located, using masscan and zgrab, the attacker creates a container using Alpine image and passes an argument to the script which downloads and executes other malicious scripts.
Targeting Docker Instances using a Bash script
Improvised Docker Attacks (August 2020)
The group continued their attacks on Docker however they started using the Ubuntu images directly instead of Alpine.
The group started using a Linux Kernel Module (LKM) rootkit named
Diamorphine to hide their activities on infected machines. AWS credential-stealing capabilities were added into their scripts.
Weavescope Attacks (September 2020)
TeamTNT added started exploiting
Weavescope for troubleshooting and leveraging it as a backdoor for the following:
Gaining full access to the victim’s cloud environment
Monitoring Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS)
Running shell commands
The group began using two new tools to steal credentials from browser history and network connections:
The group also began using a
simple Linux ELF runtime crypter, ezuri, to encrypt their malware for evading detection.
Kubernetes Attacks (January 2021)
Lacework Labs released a report on Tsunami (the bot used by TeamTNT) mentioning the following details:
Only 90 of the 200 connected bots were detected with unique IP addresses from the previous scripts.
Some of the bots behind a NAT service were sharing the same external IP address.
Majority of the affected computers were Asian cloud instances hosted primarily by Tencent, Alibaba, and AWS.
During this period, the group stopped attacking Redis instances and started targeting Kubernetes.
Three new tools were being employed by the group:
Peirates – An open-source Kubernetes Penetration Testing tool
Botb – An open-source tool for container analysis and exploitation for Kubernetes
libprocesshider – An open-source tool that uses the ID preloader to hide a process under Linux.
Increased Credential Stealing Capabilities (June 2021)
The group’s target list remained the same but they expanded their credential-stealing capabilities, to the following services and applications.
They added the plugin of AWS CLI in their script to exfiltrate maximum information about the instance inclduing resources, instance, roles, volumes, etc.
Chimaera Campaign (July 2021)
On 25 July 2021, TeamTNT launched a campaign named “Chimaera” where they continued their attacks on Docker, Kubernetes, and Weavescope services.
To maintain transparency, the group created a dashboard on their website that displayed campaign statistics.
Chimaera campaign dashboard to display statistics on the website
The group significantly improved their enumeration technique by adding over 70 unique AWS CLI commands designed to enumerate the following 7 AWS services:
They also started employing
LaZagne, another open-source application, to enhance their credential-stealing capabilities.
Techniques, Tactics & Procedures (TTPs)
TTPs employed by TeamTNT
TeamTNT essentially employed the same strategies across all of its campaigns, however they did it by making the following adjustments to their methods:
Account manipulation by adding their own SSH authorized_keys on compromised servers.
Installing a scanner to scan the entire internal network for lateral movements.
Using process monitoring tools to restart processes.
Using scripts to install all sorts of tools, malware, and miner.
Packing binaries to evade normal security checks .
Using obfuscation and encodings in bash scripts and while communicating through C2 servers.
Using kernel-level rootkits to hide their process.
Deploying own containers for attacks and mining.
Using data stealing cloud service credentials.
Resource hijacking and deploying XMRig Docker images to mine cryptocurrency.
Tools & Exploits
TeamTNT employed mostly open-source tools and depended heavily on bash scripts to manage all the tools. The table below contain the list of tools used by them for conducting their activities.
Indicators of Compromise (IoCs)
init.sh (the second script)
Domain / IPv4
Hosting malicious scripts and binaries
Example of TeamTNT using German language on social media
GitHub Repositories of the TeamTNT group
DNS script used by TeamTNT during the attack campaign of docker instances
Hosted a script to pwn Kubernetes clusters
Wallet info used by TeamTnT
TeamTNT’s official announcement of quitting their operations
Setup script that creates a shell script for the hiding process.
SSH credential stealing module
Download and installation script for miner
TeamTNT used some buzz covid-19 keywords in their scripts (At the time of Campaign Covid19 was at its peak )
Setup script for Diamorphine
Script of mxutzh.sh
Code snippet which infects Docker servers with containers to mine Monero
Addition in the script to steal more credentials