IT & Technology
- Threat actor group, TeamTNT, compromised multiple cloud instances and containerized environments.
- Target list includes Docker, Redis server, AWS, and Kubernetes.
- Credential Stealing
- Installing backdoors, rootkits stealer, botnets, and miners
- Maintain access and moving laterally
- Network/ Port scanning tools
- Malicious Binaries
- Packers and Crypters
- Credential Stealers
- PWN Remote Services
Analysis and Attribution
- TeamTNT goes by the Twitter handle “@HildeTnT / HildeGard@TeamTNT”
- During their attack period, the group was very active on Twitter, posting and discussing:
- Attacks conducted
- Servers compromised
- Tools employed
- The group most likely originates from Germany because:
- Most of the tweets and bash scripts are in the German language.
- The account’s location is set to Deutschland.
- Comments in the bash scripts contain words from the German language.
Information from OSINT
- The following Tweet made on the group’s official account, suggests that it is a collective of 12 individuals (or more if they hired new people in late 2020).
[caption id="attachment_20458" align="aligncenter" width="1198"]
TeamTNT’s Tweet about managing a group of 12 programmers[/caption]
- TeamTNT’s Github profile contains 25 public repositories, most of which are the forks of the popular red teaming tools and other repositories possibly leveraged by them.
- The following domain was used by the group to host their malicious files and scripts while performing the attack: https://teamtnt[.]red.
- CloudSEK researchers were able to gather the following information about the domain:
- Domain was registered on 10 February 2020
- During the same time TeamTNT had begun to actively target Redis servers
- Domain is currently inactive
- Some screenshots of the domain are still available on Wayback Machine
Timeline of TeamTNT
[caption id="attachment_20459" align="alignnone" width="2048"]
Event Timeline of TeamTNT[/caption]
Redis Attacks (February 2020)
- The group has been active since February 2020 when they launched their first campaign targeting Redis servers.
[caption id="attachment_20460" align="aligncenter" width="2048"]
Attack flow for targeting the Redis server[/caption]
- The motive behind the attack was cryptojacking and the following tools were used:
- pnscan - An open-source parallel network scanner, used to scan the whole internet and look for the services listening on the default Redis port (port: 6379). The setup script generates the payload that is executed on the Redis servers.
- Tsunami - An open-source botnet, aslo known as titan or ziggystartux, used to perform DDoS attacks against targets or to execute commands on the infected machine.
- xmrigCC - A tool used for mining crypto.
- watchdog.c - A type of monitoring tool used in Linux for monitoring the mining process.
- Punk.py - A post-exploitation tool meant to help network pivot from a compromised Unix box. This tool collects usernames, SSH keys, as well as known hosts from a Unix systemt and then tries to connect via SSH to all the combinations found.
[caption id="attachment_20461" align="alignnone" width="2048"]
Detailed breakdown of the setup script used in Redis campaign[/caption]
Docker Attacks (May 2020)
- In May 2020, the group started targeting Docker by employing the same Bash scripts and malware.
- The group’s primary motive remained the same, i.e cryptojacking.
- A new tool was added to their arsenal:
- masscan - A TCP port scanner used to find misconfigured Docker services by scanning exposed ports and services. Once a victim is located, using masscan and zgrab, the attacker creates a container using Alpine image and passes an argument to the script which downloads and executes other malicious scripts.
[caption id="attachment_20462" align="alignnone" width="2048"]
Targeting Docker Instances using a Bash script[/caption]
Improvised Docker Attacks (August 2020)
- The group continued their attacks on Docker however they started using the Ubuntu images directly instead of Alpine.
- The group started using a Linux Kernel Module (LKM) rootkit named Diamorphine to hide their activities on infected machines.
- AWS credential-stealing capabilities were added into their scripts.
Weavescope Attacks (September 2020)
- TeamTNT added started exploiting Weavescope for troubleshooting and leveraging it as a backdoor for the following:
- Gaining full access to the victim’s cloud environment
- Monitoring Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS)
- Running shell commands
- The group began using two new tools to steal credentials from browser history and network connections:
- The group also began using a simple Linux ELF runtime crypter, ezuri, to encrypt their malware for evading detection.
Kubernetes Attacks (January 2021)
- Lacework Labs released a report on Tsunami (the bot used by TeamTNT) mentioning the following details:
- Only 90 of the 200 connected bots were detected with unique IP addresses from the previous scripts.
- Some of the bots behind a NAT service were sharing the same external IP address.
- Majority of the affected computers were Asian cloud instances hosted primarily by Tencent, Alibaba, and AWS.
- During this period, the group stopped attacking Redis instances and started targeting Kubernetes.
- Three new tools were being employed by the group:
- Peirates - An open-source Kubernetes Penetration Testing tool
- Botb - An open-source tool for container analysis and exploitation for Kubernetes
- libprocesshider - An open-source tool that uses the ID preloader to hide a process under Linux.
Increased Credential Stealing Capabilities (June 2021)
- The group’s target list remained the same but they expanded their credential-stealing capabilities, to the following services and applications.
- They added the plugin of AWS CLI in their script to exfiltrate maximum information about the instance inclduing resources, instance, roles, volumes, etc.
Chimaera Campaign (July 2021)
- On 25 July 2021, TeamTNT launched a campaign named “Chimaera” where they continued their attacks on Docker, Kubernetes, and Weavescope services.
- To maintain transparency, the group created a dashboard on their website that displayed campaign statistics.
[caption id="attachment_20463" align="alignnone" width="845"]
Chimaera campaign dashboard to display statistics on the website[/caption]
- The group significantly improved their enumeration technique by adding over 70 unique AWS CLI commands designed to enumerate the following 7 AWS services:
- IAM configuration
- EC2 instances
- S3 buckets
- Support cases
- Direct connection
- They also started employing LaZagne, another open-source application, to enhance their credential-stealing capabilities.
Techniques, Tactics & Procedures (TTPs)
[caption id="attachment_20464" align="alignnone" width="1677"]
TTPs employed by TeamTNT[/caption]
TeamTNT essentially employed the same strategies across all of its campaigns, however they did it by making the following adjustments to their methods:
- Account manipulation by adding their own SSH authorized_keys on compromised servers.
- Installing a scanner to scan the entire internal network for lateral movements.
- Using process monitoring tools to restart processes.
- Using scripts to install all sorts of tools, malware, and miner.
- Packing binaries to evade normal security checks .
- Using obfuscation and encodings in bash scripts and while communicating through C2 servers.
- Using kernel-level rootkits to hide their process.
- Deploying own containers for attacks and mining.
- Using data stealing cloud service credentials.
- Resource hijacking and deploying XMRig Docker images to mine cryptocurrency.
Tools & Exploits
TeamTNT employed mostly open-source tools and depended heavily on bash scripts to manage all the tools. The table below contain the list of tools used by them for conducting their activities.
Indicators of Compromise (IoCs)
|init.sh (the second script)
|Domain / IPv4
|Hosting malicious scripts and binaries
[caption id="attachment_20465" align="alignnone" width="1167"]
Example of TeamTNT using German language on social media[/caption]
[caption id="attachment_20466" align="alignnone" width="2048"]
GitHub Repositories of the TeamTNT group[/caption]
[caption id="attachment_20467" align="alignnone" width="1095"]
DNS script used by TeamTNT during the attack campaign of docker instances[/caption]
[caption id="attachment_20468" align="alignnone" width="2048"]
Hosted a script to pwn Kubernetes clusters[/caption]
[caption id="attachment_20469" align="alignnone" width="2048"]
Wallet info used by TeamTnT[/caption]
[caption id="attachment_20470" align="alignnone" width="2048"]
TeamTNT’s official announcement of quitting their operations[/caption]
[caption id="attachment_20471" align="alignnone" width="640"]
Setup script that creates a shell script for the hiding process.[/caption]
[caption id="attachment_20472" align="alignnone" width="622"]
SSH credential stealing module[/caption]
Download and installation script for miner
[caption id="attachment_20474" align="aligncenter" width="874"]
TeamTNT used some buzz covid-19 keywords in their scripts (At the time of Campaign Covid19 was at its peak )[/caption]
[caption id="attachment_20475" align="alignnone" width="964"]
Setup script for Diamorphine[/caption]
[caption id="attachment_20476" align="alignnone" width="1150"]
Script of mxutzh.sh[/caption]
[caption id="attachment_20477" align="alignnone" width="1114"]
Code snippet which infects Docker servers with containers to mine Monero[/caption]
[caption id="attachment_20478" align="alignnone" width="1150"] Addition in the script to steal more