If you’re unfamiliar with cryptocurrency mining, then now may be the time to become educated. The cybercriminal world is constantly changing, and cybercriminal gangs are starting to make the shift from RaaS to cryptocurrency mining, with TeamTNT being the latest threat actor.
Cryptocurrency mining is just like mining for gold, diamonds, or other valuable materials. Instead of buying cryptocurrency (Bitcoin, Monero, Bytecoin, etc.), people can set up their computers at home to mine crypto tokens without having any capital. The act of cryptocurrency mining itself isn’t a crime. In fact, there are thousands of people who make a decent living from mining for cryptocurrency, including this 14- and 9-year-old from Dallas, Texas, who earn over $30,000 a month.
When does cryptocurrency mining become a cybercrime? When cyber threat actors like TeamTNT attack vulnerable operating systems and applications by installing cryptocurrency mining malware to cryptojack. The malware is installed so attackers can siphon the currency they stole via cryptojacking and put it into their own digital wallets. They do this by abusing machines that belong to large enterprises.
Not only does TeamTNT infiltrate systems that they don’t have the authority to be in, but they also steal resources. Cryptomining involves pushing a device to its limit and can cause serious damage. The malware that’s installed uses a great amount of power and leaves computers running slow (or not running at all) and electricity bills soaring.
On September 8, 2021, our partner AT&T Alien Labs announced that the malware campaign, Chimaera, by TeamTNT, was actively targeting several operating systems and applications. The programs and applications currently under attack are Microsoft Windows, some Linux Installations (including Alpine), Docker, AWS, and Kubernetes.
While TeamTNT was first publicly acknowledged in May 2020 by Trend Micro, the Chimaera campaign didn’t make an appearance until July 2021. The new malware campaign is responsible for infecting thousands of systems globally by using new open-source tools to mine cryptocurrency. Last year, TeamTNT was responsible for installing cryptocurrency malware on vulnerable Docker containers.
In October 2020, we reported that TeamTNT was using the monitoring tool, Weave Scope, to gain administrative access to cloud environments. They attacked Docker, Kubernetes, Distributed Operation System (DC/OS), and AWS Elastic Compute Cloud instances. In January 2021, we followed up with another report detailing the additions to TeamTNT’s malware campaign. During that time the gang was still using malware to infect and spread through cloud environments, but they started using AWS IAM (Identity and Access Management) to capture credentials more effectively. This is their pattern – using tool kits to compromise cloud environments. While TeamTNT’s goal has not changed, their tools certainly have evolved.
As one of the most active cybercriminal groups since mid-2020, TeamTNT has developed a sneaky tool kit for malicious activity. The tool kit includes Masscan and port scanner, librocesshider, 7z (decompresses files), b374k shell (controls infected systems), and Lazagne. This tool kit allows TeamTNT to go undetected even with the use of anti-virus and malware detection tools – making it difficult for cyber intelligence engineers and analysts to keep up with their activity.
“As of the publishing of this report, many of the samples analyzed by Alien Labs have zero or low detection on VirusTotal.”
Image 1: TeamTNT’s Infection Statistics
From TeamTNT website, infection statistics – AT&T Alien Labs
In conjunction with this new tool kit, TeamTNT is using Peirates, which is a cloud penetration testing toolset that can target cloud-based apps. TeamTNT’s focus appears to be compromising Kubernetes clusters – an open-source software used for deploying and managing containers at scale. The group’s attacks on Kubernetes include using a root payload component. When TeamTNT attacked Windows systems, they use the Xmrig miner, create a service, and add a batch file to the startup folder to maintain persistence.
By using open-source tools, TeamTNT can gather information in AWS and Google Cloud environments to execute post-exploitation operations. This means that the threat actor can laterally move within a system and perform privilege-escalation attacks that could allow them to obtain administrative access to an organization’s entire cloud environment.
While TeamTNT employs some of the same tactics as similar groups, TeamTNT stands out with its social media presence and the tendency for self-promotion. Most threat actors try to stay hidden, but TeamTNT has a public Twitter account and even interacts with researchers – almost as if they are bragging. Tweets from the account are in both English and German although it is unknown if they are located in Germany.
Image 2: TeamTNT’s Interaction with Researchers on Twitter
TeamTNT’s recent interaction with Trend Micro on Twitter.
Image 3: TeamTNT’s Statement Regarding Chimaera
TeamTNT’s public Twitter account
Don’t underestimate the harmful and negative effects of cryptomining malware. Being proactive against these attacks means that your business environment will remain safe and will not be exploited by cybercriminals looking to make money on your dime.
AWS (Amazon Web Services) – a cloud computing platform for amazon. The platform provides servers, storage, networking, remote computing, email, mobile development, and security. TeamTNT uses this to break into cloud instances to mine for Monero cryptocurrency.
AWS IAM (Identity and Access Management) – allows you to create and manage AWS users and group – using permissions to allow and deny access to AWS resources.
Cryptojacking – When an attacker maliciously hacks into a computer (mobile device or laptop) and installs malicious software. The software is used to steal cryptocurrency and a code runs in the background (even after attackers have left), hijacking their victims’ resources.
Cryptocurrency Mining – The act of using a machine, typically a computer, to mine for crypto tokens. Pushing the computer to its maximum capacity and that’s why it uses more electricity. It can be bad for computer equipment and damage it if it runs.
Masscan – searches for new candidates to infect.
Libprocesshider – a software that hides a process under Linux using the Id preloader. This helps execute the TeamTNT bot from memory.
Lazagne – an open-source tool for web operating systems (think Chrome, Wi-Fi, and Firefox), used to collect stored credentials (passwords, usernames, etc.) from applications.
Containers – containers are used to help build modern applications. Containers are microservices packed with their dependencies and configurations.
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation or standard.