Threat Research

TeamTNT Cryptomining Explosion 🧨

Securonix

TeamTNT is a prolific cryptomining threat actor that has targeted Linux servers for years, evolving from Redis to Docker and now Kubernetes-focused campaigns, with some Windows artifacts observed. The analysis details their TTPs, tools (including Tsunami, Rathole, Ezuri, and Diamorphine), methods to hide activity, and data exfiltration and lateral movement techniques, providing a consolidated resource for defenders. #TeamTNT #Tsunami #Rathole #WeaveScope #Ezuri #Diamorphine #PunkPy

Keypoints

  • TeamTNT has been active since 2019, primarily targeting Linux servers and shifting focus from Redis to Docker and then Kubernetes.
  • Most tooling is shell-script based, with notable components like the Tsunami IRC bot and the Rathole backdoor; Ezuri and a kernel module Diamorphine are also used.
  • They employ strong defense-evasion techniques, including not writing to disk, hiding processes via procfs, and using LD_PRELOAD rootkits.
  • Credential and data theft are a consistent objective, with exfiltration of SSH credentials, AWS configs/keys, and cloud data to actor-controlled servers.
  • Propagation relies on scanning for vulnerable Docker/Kubernetes instances (via masscan/pnscan and zgrab) and cron-based payload delivery to discovered hosts.
  • TeamTNT maintains a public presence on Twitter (HildeTNT) and has faced imitators; their campaigns and tooling have been discussed in multiple security analyses.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The infection relies on shell scripts (setup.sh, etc.) executed directly to run modules. “The infection on the machine started with the execution of the setup.sh shell script.”
  • [T1105] Ingress Tool Transfer – The main setup script downloads and executes additional modules from the threat actor’s infrastructure. “The script downloads the rest of the modules used in the attack.”
  • [T1564.001] Hide Artifacts – The malware hides its activity by manipulating procfs and mounting an empty folder over the process entry. “mounting an empty folder over the process entry within the procfs.”
  • [T1036] Masquerading – The bot changes its process name to appear as a kernel thread, a classic masquerade technique. “The bot is setting a ‘fake’ application name to kthreadd, masquerading as a kernel thread.”
  • [T1562.001] Impair Defenses – They disable monitoring tools, e.g., “disable monitoring services such as apparmor.”
  • [T1543.003] Create or Modify Systemd Services – The malware creates or modifies startup services to persist across reboots. “The script adds either a System V init script or a systemd service depending on what is used by the system.”
  • [T1014] Rootkit – Diamorphine kernel rootkit is used to hide miners and control processes. “The rootkit called Diamorphine is an open-source rootkit… It can hide processes, files and elevate a given user to root.”
  • [T1496] Resource Hijacking – Cryptomining is highlighted as the major threat to Linux servers and cloud environments. “Illicit cryptomining has become the major threat to Linux servers and cloud environments.”

Indicators of Compromise

  • [Domain] Context – teamtnt.red, chimaera.cc – Domains used to host scripts and deliver payloads.
  • [IP Address] Context – 45.9.150.36, 45.9.148.108 – Hosts of C2s and malicious content; 116.62.122.90 – older server referenced by scripts.
  • [SHA256] Context – 125dc99b9f94d5548bb68b371cb2ff22134b60b1fef915d1ae85b025f4039be0, 561b76684d80084bd4b924e439f7e37683f486ca94fa088f283402dc7443271c – Hashes for early scripts like bsh.sh and ash.sh.
  • [Filename] Context – bsh.sh, ash.sh – Early setup scripts used to bootstrap infections.

Read more: https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/