Cryptojacking Gang TeamTNT Makes a Comeback

Security

Security researchers have found new evidence of TeamTNT activity dating back to 2023, despite a commonly held belief that the group “evaporated” in 2022.

TeamTNT was a prolific threat actor known for cryptojacking attacks, which use victims’ IT resources to illegally mine for cryptocurrency.

The likely German-speaking actor first emerged in 2019 and became infamous for its “homebrewed malware using a comprehensive toolkit of shell scripts and malicious binaries,” according to Group-IB.

It would target vulnerable public instances of Redis, Kubernetes and Docker, stealing credentials and installing backdoors in its cryptojacking campaigns.

Read more on TeamTNT: Experts Warn of Impending TeamTNT Docker Attacks

Published yesterday, Group-IB’s latest report revealed an overlap of TeamTNT tactics, techniques and procedures (TTPs) with ongoing campaigns dating back to last year.

“Group-IB’s DFIR team identified clear evidence of a new campaign impacting VPS cloud infrastructures based on CentOS operating systems,” it said.

“The investigation revealed that the initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim’s assets, during which the threat actor uploaded a malicious script. Our DFIR experts analyzed the script, which, once executed, checks if the host has already been compromised by searching for traces of logs generated by other miners.”

The malicious script also disables security features, deletes logs and modifies system files, according to the report. It kills any cryptocurrency mining processes it discovers, removes Docker containers and updates DNS settings to Google’s servers.

Group-IB added that the script installs the “Diamorphine” rootkit for stealth and root privileges, and uses custom tools to maintain persistence and control.

“It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities,” Group-IB said.

“The entire analysis underscores TeamTNT’s advanced skills in automating its attacks and considering every single aspect and detail, from the initial access to preventing recovery attempts, aiming to inflict significant damage on the victim.”

Products You May Like

Articles You May Like

Critical Vulnerabilities Found in WordPress Plugins WPLMS and VibeBP
Brazilian Hacker Charged for Extorting $3.2M in Bitcoin After Breaching 300,000 Accounts
Major Biometric Data Farming Operation Uncovered
Ruijie Networks’ Cloud Platform Flaws Could Expose 50,000 Devices to Remote Attacks
CISA’s 2024 Review Highlights Major Efforts in Cybersecurity Industry Collaboration

Leave a Reply

Your email address will not be published. Required fields are marked *