Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group
by David Fiser and Alfredo Oliveira
TrendMicro Research 2021
https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf
| Notes |
|---|
| TrendMicro |
| container |
| honeypot |
| cryptocurrency miner |
| Linux malware |
| Redis |
| TeamTNT |
| financially-motivated threat actor |
| threat actor |
| TeamTNT’s members are likely German due to their posts on social media and comments within code written in fluent German |
| ELF |
| HildeGard |
| shell script |
| Docker |
| difficulty of guessing precise number of members in a hacking group |
| Trend Micro estimates 12 members in TeamTNT due to them mentioning having 12 members on social media |
| Twitter, tweet |
| attribution |
| false attribution |
| penetration tester |
| security researcher |
| malware |
| malware campaign |
| DDoS |
| botnet |
| Docker Daemon |
| IRC command and control |
| IRC |
| TNTbotinger |
| credential stealer |
| pandemic |
| COVID-19 |
| worm |
| TeamTNT campaigns: Covid-19, Black-T, Competitor Killer, Dual Installer, Kinsing Killer, Meoow, SayHi, Weave Persistent, PWN Redis, Get Some SSH, Docker4Mac, AWS Stealer |
| INFECT_ALL_CONTAINERS function |
| deploying malicious containers |
| DevOps |
| kirito666/blackt |
| Kinsing malware |
| territorial malware |
| macOS |
| macOS malware |
| CSP - Cloud Service Provider |
| Weave Scope |
| container orchestration |
| AWS |
| SSH |
| leaked credentials |
| vulnerability scanning |
| IRC bot |
| SSH credential theft |
| SSH key persistence |
| ~/.aws/credentials |
| root user |
| home directory |
| curl |
| sayhi.bplaced[.]net |
| environment variables |
| command and control |
| credential harvesting: AWS, Cloudflare, Google Cloud, Git, SMB, FTP, … |
| backdoor |
| tshd (tiny shell daemon) https://github.com/orangetw/tsh |
| reverse engineering |
| GitHub |
| Q-shell https://github.com/qianshanhai/q-shell |
| Blowfish |
| Diamorphine rootkit |
| persistence |
| getdents/getdents64 |
| hooking |
| signal |
| SIGINVIS, PF_INVISIBLE |
| SIGSUPER |
| SIGMODINVIS |
| XMRig |
| systemd service persistence |
| wget, curl |
| User-Agent |
| Using User-Agent to communicate with c2 server |
| immutable flag |
| chattr |
| filesystem permissions |
| user account persistence |
| hilde user |
| base64 |
| UPX |
| AES |
| Go malware |
| Ezuri packer https://github.com/guitmz/ezuri |
| initialization vector |
| hard-coded IV |
| obfuscation |
| Dorkbot |
| chatbot |
| Hydra IoT malware |
| Kaiten/Tsunami |
| non-stripped binaries |
| TeamTNT’s IRC bot is likely based off of kaiten due to symbols observed within samples |
| decompile |
| Ziggy StarTux |
| money laundering |
| quantity over quality |
| cryptocurrency wallet |
| gulf.moneroocean[.]stream |
| Monero |
| GPU |
| principle of least privilege |
| shared responsibility |
| use key-based auth on SSH |
| keep systems patched and up to date |
| CI/CD |
| IPS |
| MITRE ATT&CK |
| privilege escalation |
| lateral movement |
| IoC |