Security researchers have recently discovered new evidence of ongoing TeamTNT activity dating back to 2023, contradicting the common belief that the group had dissipated in 2022. TeamTNT gained notoriety for their cryptojacking attacks, where they exploit victims’ IT resources to mine cryptocurrency without authorization.
Initially surfacing in 2019, TeamTNT, believed to be German-speaking, developed a reputation for crafting their own malware using a sophisticated toolkit of shell scripts and malicious binaries. Their modus operandi involved targeting vulnerable public instances of Redis, Kubernetes, and Docker, by pilfering credentials and implanting backdoors in their cryptojacking endeavors.
In a recent report released by Group-IB, it was unveiled that TeamTNT’s tactics, techniques, and procedures (TTPs) were still active in campaigns from the previous year. The report highlighted a new campaign targeting VPS cloud infrastructures running on CentOS operating systems.
According to Group-IB’s findings, the threat actor gained initial access through a Secure Shell (SSH) brute force attack on the victim’s assets, deploying a malicious script during the breach. This script, upon execution, scans for signs of prior compromise by checking for logs generated by other miners. Additionally, the malicious script disables security measures, wipes logs, and alters system files. It terminates any cryptocurrency mining processes, eliminates Docker containers, and switches DNS settings to Google’s servers.
The report also disclosed that the script installs the “Diamorphine” rootkit to secure stealth and root privileges, while employing custom tools for persistence and control. Group-IB emphasized TeamTNT’s adeptness in automating attacks, meticulously considering every detail from initial access to hindering recovery efforts, with the intention of inflicting substantial harm on the victim.
This revelation underscores the continuous threat posed by TeamTNT and serves as a stark reminder of the importance of robust cybersecurity measures in safeguarding against malicious actors. As organizations navigate the evolving landscape of cyber threats, vigilance and proactive defense strategies are paramount in mitigating risks associated with cryptojacking and similar illicit activities.