Threat Research

TeamTNT Reemerged with New Aggressive Cloud Campaign

Aquasec

Aqua Nautilus analyzes TeamTNT’s reemergence with an aggressive cloud campaign targeting Docker, Kubernetes, Jupyter, and other cloud-native services, deploying a broad arsenal of scripts, backdoors, and malware to rapidly infect exposed systems. The operation uses a fast-scanning worm, a Tsunami-based C2, and Docker Hub container images to propagate across SDLC environments, aiming to steal credentials and deploy further malware. #TeamTNT #Tsunami #JupyterLab #WeaveScope #AnonDNS

Keypoints

  • The campaign targets cloud-native environments including Docker, Kubernetes, Redis, Postgres, Hadoop, Tomcat, Nginx, Weave Scope, SSH, and Jupyter apps.
  • Aqua Nautilus traced TeamTNT activity to the IP 45.9.148.108 (NiceIT-NL) and linked subdomains on AnonDNS to this campaign.
  • The TeamTNT toolbox comprises a wide set of scripts and binaries (e.g., priv8.sh, data.sh, aws.sh, run.sh, scope.sh, x3c.sh, xmrig, 1.0.4.tar.gz) deployed on honeypots.
  • The campaign performs aggressive, rapid scanning via Masscan, infects new victims at a high rate, and reports back to a central C2 server.
  • Tsunami remains a key component, using IRC for C2 communications and enabling download of additional payloads and backdoors.
  • A variety of persistence, defense-evasion, and credential-access techniques are observed, including SSH backdoors, rootkits, and cloud-credential discovery across AWS, Azure, and GCP.

MITRE Techniques

  • [T1133] External Remote Services – Misconfigured Docker API allows access and code execution to everyone. “The Docker API misconfiguration that allows access and code execution to everyone.”
  • [T1190] Exploit Public-Facing Application – Targeting exposed Docker/Jupyter/Firebase-like surfaces via public API endpoints. “The infrastructure… targeting exposed Docker APIs and JupyterLab instances.”
  • [T1046] Network Service Scanning – Botnet uses Masscan to rapidly scan large address spaces. “Using Masscan, a tool renowned for its high-speed scanning capabilities, we estimate that a /8 CIDR range can be scanned within three minutes.”
  • [T1059.004] Unix Shell – Execution of commands via a bash-based downloader on infected hosts. “the execution command is a bash implementation used to download scripts and binaries from the C2 server.”
  • [T1105] Ingress Tool Transfer – Downloading tools/scripts from the C2 server. “downloads aws.sh script from the C2 server.”
  • [T1098] SSH Authorized Keys – SSH backdoor created by inserting RSA keys and altering SSH config for persistence. “creating an SSH backdoor by inserting their own RSA key.”
  • [T1547.001] Boot or Logon Autostart Execution – Persistence through container restart behavior (e.g., –restart=always). “they ran the container with the –restart=always flag.”
  • [T1053.005] Cron – Cron-based persistence and removal of Cron to hide activity. “Remove cron, cleans bad tools.”
  • [T1564.001] Rootkit – Prochider rootkit hides mining tasks; uses ld.preload to mask xmrig. “deploys prochider rootkit hidden in ldpreload.”
  • [T1027] Obfuscated/Compressed Files and Information – Decoding base64-encoded commands to evade detection. “decoding (base64) and running an encoded command.”
  • [T1552.001] Credentials in Cloud – Scanning for AWS/Azure/GCP configuration files and secrets. “get_azure(), get_google(), get_aws”
  • [T1505.003] Web Shell – Web-based backdoors (e.g., tmate, Gsocket PHP) to maintain access. “webshell of tmate.io” and “Gsocket… a powerful reverse shell tool.”
  • [T1071.001] IRC – Command and Control over IRC channels (C2 via IRC). “IRC channel to observe infected machines and commands.”
  • [T1589.003] Cloud Service Discovery – Discovery of Kubernetes, Docker, and cloud configurations during discovery phases. “Discovery… Kubernetes, running containers, and cloud environments.”

Indicators of Compromise

  • [IP] 45.9.148.108 – C2 infrastructure hosted by NiceIT-NL.
  • [Domains] silentbob.anondns.net, everlost.anondns.net, everfound.anondns.net – subdomains tied to the campaign’s AnonDNS infrastructure.
  • [MD5] cc61a23b635405c4b2f2f6dd1893ac7b, 5d4f7c74b2d89377a1c0fe1a4db15779 – file hashes for TeamTNT scripts.
  • [MD5] 7044a31e9cd7fdbf10e6beba08c78c6b – remove cron/cleanup script.
  • [MD5] a827e07bd36e1e7c258fb27a18029e7a – scope.sh; deploys Weave Scope.
  • [File] 1.0.4.tar.gz – TAR file containing masscan.
  • [Filename] priv8.sh, data.sh, aws.sh, grab.sh, run.sh – various TeamTNT scripts observed on honeypots.
  • [File] shanidmk/jltest2:latest, shanidmk/jltest:latest, shanidmk/sysapp:latest – Docker Hub container images used in campaign.

Read more: https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint