Security researchers have found new evidence of TeamTNT activity dating back to 2023, despite a commonly held belief that the group “evaporated” in 2022.
TeamTNT was a prolific threat actor known for cryptojacking attacks, which use victims’ IT resources to illegally mine for cryptocurrency.
The likely German-speaking actor first emerged in 2019 and became infamous for its “homebrewed malware using a comprehensive toolkit of shell scripts and malicious binaries,” according to Group-IB.
It would target vulnerable public instances of Redis, Kubernetes and Docker, stealing credentials and installing backdoors in its cryptojacking campaigns.
Read more on TeamTNT: Experts Warn of Impending TeamTNT Docker Attacks
Published yesterday, Group-IB’s latest report revealed an overlap of TeamTNT tactics, techniques and procedures (TTPs) with ongoing campaigns dating back to last year.
“Group-IB’s DFIR team identified clear evidence of a new campaign impacting VPS cloud infrastructures based on CentOS operating systems,” it said.
“The investigation revealed that the initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim’s assets, during which the threat actor uploaded a malicious script. Our DFIR experts analyzed the script, which, once executed, checks if the host has already been compromised by searching for traces of logs generated by other miners.”
The malicious script also disables security features, deletes logs and modifies system files, according to the report. It kills any cryptocurrency mining processes it discovers, removes Docker containers and updates DNS settings to Google’s servers.
Group-IB added that the script installs the “Diamorphine” rootkit for stealth and root privileges, and uses custom tools to maintain persistence and control.
“It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities,” Group-IB said.
“The entire analysis underscores TeamTNT’s advanced skills in automating its attacks and considering every single aspect and detail, from the initial access to preventing recovery attempts, aiming to inflict significant damage on the victim.”