One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3479896 |
| Date de publication | 2021-10-06 19:06:00 (vue: 2021-10-06 23:05:32) |
| Titre | Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server |
| Texte | Authored By: Tara Gould
Key Findings
Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT.
The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.
Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.
This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.
Overview
Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials.
TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2]
Technical Analysis
Scripts (/cmd/)
Figure 1 - Overview of /cmd/
Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following:
AWS Credential Stealer
Diamorphine Rootkit
IP Scanners
Mountsploit
Scripts to set up utils
Scripts to setup miners
Scripts to remove previous miners
Figure 2 - Snippet of AWS Credential Stealer Script
Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server.
Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh
Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.
Binaries (/bin/)
Figure 4 - Overview of /bin
Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations.
Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A.
|
| Envoyé | Oui |
| Condensat | ”teamtnt https://cybersecurity “hildegard@teamtnt “honeypots “malicious “ngrok “teamtnt “tracking /bin /bin/ /bin/a /bin/bot /bin/bot/aws /bin/bot/chimaera /bin/bot/sshspr /bin/bot/teamtntbot /bin/bot/tnt /bin/ethminer/cuda /bin/golang/go1 /bin/masscan/aarch64 /bin/masscan/masscan /bin/masscan/x86 /bin/ngrok/aarch64 /bin/ngrok/x86 /bin/pei/pei32 /bin/pei/pei64 /bin/pnscan/aarch64 /bin/pnscan/pnscan /bin/pnscan/x86 /bin/src/bash /bin/src/chimaeraxmr /bin/src/dia/chimaeraxmr /bin/src/dia/makefile /bin/src/log /bin/src/master /bin/src/rbm /bin/src/scope /bin/src/tsh /bin/src/xmrig /bin/tshd/x86 /bin/xmrig /bin/zgrab/aarch64 /bin/zgrab/i386 /bin/zgrab/ppc64le /bin/zgrab/x86 /chimaera/bin/xmrigcc/kuben3 /cmd/ /cmd/clean /cmd/clean/jupyter /cmd/clean/teamtnt /cmd/dockerapi /cmd/exp/ssh /cmd/fix/nameserver /cmd/fix/systemfix /cmd/gpu/ati /cmd/gpu/c3pool /cmd/gpu/nvidia /cmd/grab/aws /cmd/grab/aws2 /cmd/grabber /cmd/init /cmd/install /cmd/kubernetes /cmd/ld /cmd/mountsploit /cmd/setup /cmd/setup/all /cmd/setup/apt /cmd/setup/docker /cmd/setup/ngrok /cmd/setup/nvidia /cmd/setup/tmate /cmd/ssh /in/ /init/r 001 002 003 004 005 03c43133db24a7b3f1e8a4d5c268668d 0429e95cf9e7f631c944f23f82b89b54 068f3a272598e55dc02382818f4de70e 07179295144082d0291759d5cf2d19c2 0d173ab9281f013221a94b4289443a16 11d85a39722734273adb7a0b21ac29a6 1221631e5fd5628435b6dfef15899fce 1254351aa752d5876ad225243bed69a8 13e2c82ecd3bfee92c75f30cf0f40cdc 148 149 15d4150a3190e0630a6182a882be5cad 182 182/bin 182/chimaera 182/cmd 182/in 182/init 1dc06ba731199951436705f4969e5b4e 1f6353c16d11e0e841129d55dfd9ac74 2020 2021 214 226 236 23bad8d12c43fc3e3a0568dbc8f19c85 26870afb9524e1ab2eb396d15a222676 26c8f6597826fbdebb5df4cd8cd34663 273ef84fbe3d495bff371e64cbf74b36 27fd3a594fd66f4c113ab1f70a95f82e 282 287794e108f3a4b07654ce83f6f41b38 29c0f22199b6abb07f5f2a6a6037396b 2c22a520cd1ed4fc8e249d333724412d 3102067a3822ff1c3c17999e3e2b602d 3634fd8b0be6de05eb6df806a4f7b11e 386 39ea1f63f9ae414c56ab3dc66a7569cd 3bfed4e4d3b828c427629f764d65bd57 3c61212d7bfb2c27834bb1d36c389273 3f9466ee106e947a4cea13d57ce96ed1 406caa94137d5c1e18b9ee7d5c72d72d 4090469125917070c22203b7d973f52e 419c721fd5eb8f740cb1f971af5dc745 422385becd4e08062b56f57afbc5ae6b 45fc2131a4e60bb7545a2b1b235d66ef 484 4b05c9ad17a82104dba978ab68cec49a 4f476e9ea8aed60e29bf06ffe758f841 51a4ba442533bd0d69e0da7dd46e3d9c 5718175711512e3fb20f5cf556c57924 5cdd0e39fc9be0a13134f26aba70ede1 5e4424e2a11e53e36eb10eff417fd19a 644749dda45caedda59f32f7991f0ffd 64bcf5dc015e53c868950204e2cae3f1 66d63fc99fb80c7a1fb67f712582725b 677000fb99bf02e3c477a4349df76319 68df6dc236a2f8d7231ca362b89148fe 701bc6594b2e06952451d266ced2032a 73a9c6eaa8afc2b02699f172f294b496 7400bf51827682ec6a43b2d1c0a93eca 7756f215ec37b1f545d1d8648a6d78d0 777e1d9b717d339a7582e06ab28d0dd3 779a0bd628b67834116309bf3b3278ed 7950de1f8f013cf3bf2c4eaa8ff4a3e5 79b8b3d73c8e8c4b1f74a48a617690db 7cced044d94a7ac6415598e663b46b26 7d4ee4e30088c680b9a50e3924ecce20 7d91732b7c8feced0ea698c83769e51d 80f3f20d5923c3a35022f065da9ea924 846b5ff8a0f64b9af3d22157cb437a5c 87b30ac544d39a044b66ef103f36c357 89d7c2db1f892139ee567d7ae29133a9 8ab4cecc4fbf10a1de46a5f0823e0a94 91917fec033047a97a64be297454e6d7 940c1c591677efbe91d165751296dddd 9ca7f7e428ff5e3dbe943efe8ed0df31 a0c7366cd907197702aed089463af482 a8415b189839b9585193e2b2ec63d6f3 above abuse/ access accessed account active actively activities activity addition addresses administration ae929d06265be0310c3f2eb6c44314d7 aid alpineos/basicxmr alpineos/dockerapi alpineos/dsbo alpineos/firstt alpineos/fluxfaxpax alpineos/java alpineos/jupyter alpineos/kirito alpineos/kndb alpineos/lft alpineos/lftk alpineos/minion alpineos/revs alpineos/scanaround alpineos/scopeaarch64 alpineos/scopeppc64le alpineos/simpledockerxmr alpineos/tntbotbuilder alpineos/tntxmrigbuilder alpineos/ttdft alpineos/weavescope alpineos/wscopescan alpineos/xmrigcc alpineos/xxcrace already also although alto amazon among analysis anomali another api apk appears appendix application approximately april architecture are arsenal: |
| Tags | Malware Tool Threat |
| Stories | Uber APT 32 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.