TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.
|Enterprise||T1098||.004||Account Manipulation: SSH Authorized Keys|
|Enterprise||T1583||.001||Acquire Infrastructure: Domains|
|Enterprise||T1595||.001||Active Scanning: Scanning IP Blocks||
TeamTNT has scanned specific lists of target IP addresses.
|.002||Active Scanning: Vulnerability Scanning||
TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.
|Enterprise||T1071||Application Layer Protocol|
TeamTNT has the
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell||
TeamTNT has executed PowerShell commands in batch scripts.
|.003||Command and Scripting Interpreter: Windows Command Shell||
TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.
|.004||Command and Scripting Interpreter: Unix Shell|
|.009||Command and Scripting Interpreter: Cloud API||
TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.
|Enterprise||T1609||Container Administration Command||
TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.
|Enterprise||T1613||Container and Resource Discovery||
TeamTNT has checked for running containers with
|Enterprise||T1136||.001||Create Account: Local Account||
TeamTNT has created local privileged users on victim machines.
|Enterprise||T1543||.002||Create or Modify System Process: Systemd Service||
TeamTNT has established persistence through the creation of a cryptocurrency mining system service using
|.003||Create or Modify System Process: Windows Service||
TeamTNT has used malware that adds cryptocurrency miners as a service.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
TeamTNT has aggregated collected credentials in text files before exfiltrating.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.
TeamTNT has deployed different types of containers into victim environments to facilitate execution. TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.
|Enterprise||T1587||.001||Develop Capabilities: Malware|
|Enterprise||T1611||Escape to Host||
TeamTNT has deployed privileged containers that mount the filesystem of victim machine.
|Enterprise||T1048||Exfiltration Over Alternative Protocol||
TeamTNT has sent locally staged files with collected credentials to C2 servers using cURL.
|Enterprise||T1133||External Remote Services||
TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments. TeamTNT has also targeted exposed kubelets for Kubernetes environments.
|Enterprise||T1083||File and Directory Discovery||
TeamTNT has used a script that checks
|Enterprise||T1222||.002||File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification||
TeamTNT has modified the permissions on binaries with
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools||
TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.
|.004||Impair Defenses: Disable or Modify System Firewall|
|Enterprise||T1070||.002||Indicator Removal: Clear Linux or Mac System Logs|
|.003||Indicator Removal: Clear Command History|
|.004||Indicator Removal: File Deletion||
TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.
|Enterprise||T1105||Ingress Tool Transfer||
TeamTNT has the
TeamTNT has disguised their scripts with docker-related file names.
|.005||Match Legitimate Name or Location||
TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.
|Enterprise||T1046||Network Service Discovery||
TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters. TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.
|Enterprise||T1027||Obfuscated Files or Information||
TeamTNT has encrypted its binaries via AES and encoded files using Base64.
TeamTNT has used UPX and Ezuri packer to pack its binaries.
|Enterprise||T1120||Peripheral Device Discovery||
TeamTNT has searched for attached VGA devices using lspci.
TeamTNT has searched for rival malware and removes it if found. TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.
|Enterprise||T1219||Remote Access Software||
TeamTNT has established tmate sessions for C2 communications.
|Enterprise||T1021||.004||Remote Services: SSH||
TeamTNT has used SSH to connect back to victim machines. TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.
TeamTNT has deployed XMRig Docker images to mine cryptocurrency. TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.
TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine. 
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery||
TeamTNT has searched for security products on infected machines.
|Enterprise||T1608||.001||Stage Capabilities: Upload Malware||
TeamTNT has uploaded backdoored Docker images to Docker Hub.
|Enterprise||T1082||System Information Discovery||
TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1049||System Network Connections Discovery||
TeamTNT has run
|Enterprise||T1007||System Service Discovery||
TeamTNT has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them.
TeamTNT has created system services to execute cryptocurrency mining software.
|Enterprise||T1552||.001||Unsecured Credentials: Credentials In Files||
TeamTNT has searched for unsecured AWS credentials and Docker API credentials.
|.004||Unsecured Credentials: Private Keys|
|.005||Unsecured Credentials: Cloud Instance Metadata API||
TeamTNT has queried the AWS instance metadata service for credentials.
|Enterprise||T1204||.003||User Execution: Malicious Image||
TeamTNT has relied on users to download and execute malicious Docker images.
TeamTNT has leveraged iplogger.org to send collected data back to C2.
|S0601||Hildegard||||Application Layer Protocol, Command and Scripting Interpreter: Unix Shell, Container Administration Command, Container and Resource Discovery, Create Account: Local Account, Create or Modify System Process: Systemd Service, Deobfuscate/Decode Files or Information, Escape to Host, Exploitation for Privilege Escalation, External Remote Services, Hijack Execution Flow: Dynamic Linker Hijacking, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Indicator Removal: Clear Command History, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Network Service Discovery, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Remote Access Software, Resource Hijacking, Rootkit, System Information Discovery, Unsecured Credentials: Private Keys, Unsecured Credentials: Cloud Instance Metadata API, Unsecured Credentials: Credentials In Files, Web Service|
|S0349||LaZagne||||Credentials from Password Stores: Keychain, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSA Secrets, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: Cached Domain Credentials, Unsecured Credentials: Credentials In Files|
|S0179||MimiPenguin||||OS Credential Dumping: Proc Filesystem|
|S0683||Peirates||||Cloud Storage Object Discovery, Container Administration Command, Container and Resource Discovery, Data from Cloud Storage, Deploy Container, Escape to Host, Network Service Discovery, Steal Application Access Token, Unsecured Credentials: Cloud Instance Metadata API, Unsecured Credentials: Container API, Use Alternate Authentication Material: Application Access Token, Valid Accounts: Cloud Accounts|