BACKGROUND:
AT&T Alien labs has published a report detailing how the TeamTNT hacking group is using a wide variety of open source tools to mine the crypto coin Monero on systems worldwide. The team has been spotted targeting AWS credentials and Kubernetes installations for their mining purposes. Since just this past July, Alien Labs says, “the group is targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine… and is responsible for thousands of infections globally.” Excerpt:
Key takeaways:
- TeamTNT is using new, open-source tools to steal usernames and passwords from infected machines.
- The group is targeting various operating systems including: Windows, different Linux distributions including Alpine (used for containers), AWS, Docker, and Kubernetes.
- The campaign has been active for approximately one month and is responsible for thousands of infections globally.
- As of August 30, 2021, many malware samples still have zero antivirus (AV) detections and others have low detection rates.
- TeamTNT’s portfolio of open source tools includes the port scanner Masscan, libprocesshider software for executing the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne.
- Lazagne is an open source project that lists browsers including Chrome and Firefox, as well as Wi-Fi, OpenSSH, and various database programs as supported for password retrieval and credential storage.
- Palo Alto Networks has also discovered that the group is using Peirates, a cloud penetration testing toolset to target cloud-based apps.
- “The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for antivirus companies to detect,” the company says.
- While now self-armed with the kit necessary to strike a wide variety of operating systems, TeamTNT still focuses on cryptocurrency mining.
