TeamTNT hacking group has enhanced its abilities by adding a set of tools that allow it to target multiple operating systems.
Earlier this week, cybersecurity experts from AT&T Alien Labs published a report on a new campaign, tracked as Chimaera. According to AT&T researchers, infection statistics on the command-and-control (C2) server used in Chimaera suggests that the campaign began on July 25,2021.
TeamTNT was first discovered last year and was related to the installation of cryptocurrency mining malware on susceptible Docker containers. The operations of the TeamTNT hacking group have been closely monitored by security firm Trend Micro, but in August 2020 experts from Cado Security contributed the more recent discovery of TeamTNT targeting Kubernetes installations.
Now, the researchers at Alien Labs believe the hacking group is targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine. Despite the short time period, the latest campaign is responsible for “thousands of infections globally,” the researchers say.
In its latest campaign, TeamTNT is using open-source tools like the port scanner Masscan, libprocesshider software for executing the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne.
Lazagne is an open-source application for multiple web operating systems that are stored on local devices including Chrome, Firefox, Wi-Fi, OpenSSH, and various database programs. According to Palo Alto Networks, the group has also added Peirates, a cloud penetration testing toolset in its armory to target cloud-based apps.
“With these techniques available, TeamTNT actors are increasingly more capable of gathering enough information in target AWS and Google Cloud environments to perform additional post-exploitation operations. This could lead to more cases of lateral movement and potential privilege-escalation attacks that could ultimately allow TeamTNT actors to acquire administrative access to an organization’s entire cloud environment,” according to Palo Alto’s June report.
While now self-armed with the kit necessary to target a wide range of operating systems, TeamTNT still focuses on cryptocurrency mining. For example, Windows systems are targeted with the Xmrig miner. A service is created and a batch file is added to the startup folder to maintain persistence — whereas a root payload component is used on vulnerable Kubernetes systems.