TeamTNT Hacking For Crypto – Using Open Source Attacks, Experts Weigh In

By   ISBuzz Team
Writer , Information Security Buzz | Sep 09, 2021 04:02 am PST


AT&T Alien labs has published a report detailing how the TeamTNT hacking group is using a wide variety of open source tools to mine the crypto coin Monero on systems worldwide. The team has been spotted targeting AWS credentials and Kubernetes installations for their mining purposes. Since just this past July, Alien Labs says, “the group is targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine… and is responsible for thousands of infections globally.”  Excerpt:

Key takeaways:

  • TeamTNT is using new, open-source tools to steal usernames and passwords from infected machines. 
  • The group is targeting various operating systems including: Windows, different Linux distributions including Alpine (used for containers), AWS, Docker, and Kubernetes.
  • The campaign has been active for approximately one month and is responsible for thousands of infections globally.
  • As of August 30, 2021, many malware samples still have zero antivirus (AV) detections and others have low detection rates.
  • TeamTNT’s portfolio of open source tools includes the port scanner Masscan, libprocesshider software for executing the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne.
  • Lazagne is an open source project that lists browsers including Chrome and Firefox, as well as Wi-Fi, OpenSSH, and various database programs as supported for password retrieval and credential storage.
  • Palo Alto Networks has also discovered that the group is using Peirates, a cloud penetration testing toolset to target cloud-based apps.
  • “The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for antivirus companies to detect,” the company says.
  • While now self-armed with the kit necessary to strike a wide variety of operating systems, TeamTNT still focuses on cryptocurrency mining.
Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Garret F. Grajek
September 9, 2021 12:04 pm

<p>XMR (Monero) is a hot coin – and hackers will be wanting to mine this coin. Monero is THE choice of coin for many ransomware hackers because of its ability to obfuscate the address of the (hacker) recipient. Given that there are firms set up to trace bitcoin and other public block chains, privacy coins, in contrast, obfuscate the addresses of the senders and receivers – thus making it harder to track the parties involved.</p>
<p>The Monero network protects the transaction by utilizing \"stealth addresses\" (a one-time address created by the send for each transaction) so that it makes it harder for outsiders and authorities to trace the recipients. For this reason, the owner of resources that could be used for mining – need to double down on their security. Standard mechanisms such as patching and monitoring activity and usage is a must. In addition, the hackers will often try to manipulate and utilize admin credentials for persistency and lateral movement – why identity access reviews and identity triggers are key to any secure enterprise.</p>

Last edited 2 years ago by Garret F. Grajek

Recent Posts

Would love your thoughts, please comment.x