TeamTNT Cryptomining Explosion

Executive Summary: Over the past year the TeamTNT threat actor has been very active. TeamTNT is one of the predominant cryptojacking threat actors currently targeting Linux servers. This report investigates the threat actor’s activity and their Tactics, Techniques and Procedures (TTPs)—providing all of this information in one document so security teams can better detect and prevent attacks from TeamTNT.

Based on our findings, we can conclude that they have been active since the Fall of 2019, six months before the first public report on the threat actor’s activity. As of this writing, TeamTNT is mainly focused on compromising Kubernetes clusters. Prior to this, they used to target servers running Docker and Redis. We at Intezer also uncovered Windows binaries hosted on a TeamTNT server that was potentially an experiment to target Windows machines.

Much of the threat actor’s tooling has stayed consistent throughout their different campaigns. The majority of their tools are based on shell scripts but they also use some “tried and tested” compiled binaries in the attack chains. For example, the use of the Tsunami malware has been a staple of TeamTNT’s campaigns since October 2019. In addition to cryptojacking, a second objective for the threat actor has been to exfiltrate information about compromised hosts.

As early as the Winter of 2020, Intezer saw the threat actor utilizing novel techniques to steal SSH credentials from the compromised machine when it was being used by administrators.

TeamTNT has employed techniques to hide their activities on compromised machines, making incident response investigations more difficult. All of their scripts are designed to be executed without being written to disk or self deleted after execution. They have used techniques of hiding their running processes by mounting an empty folder over the process entry within the procfs, or by using UserLand and kernel level rootkits.

The threat actor maintains a public persona on Twitter using the handle HildeTNT. The majority of their tweets are written in German and the account’s location is set to Germany. In addition, many comments in the shell scripts used by the threat actor are written in German. Therefore, it can be assumed that TeamTNT’s country of origin is Germany. Much of their interaction with the security industry is via commenting on reports covering their campaigns, mostly to point out incorrect conclusions. During
the Spring of 2021, TeamTNT refuted some campaigns attributed to them. The tools used in these campaigns were based on some of TeamTNT’s older scripts but not something they currently were using. This suggests another threat actor has started to copy TeamTNT.