← threatfilter.dev / all groups / TeamTNT
TeamTNT
Overview
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.
TTPs — 56 techniques across 14 tactics
Reconnaissance
-
T1595.001Scanning IP Blocks -
T1595.002Vulnerability Scanning
Resource Development
-
T1583.001Domains -
T1587.001Malware -
T1608.001Upload Malware
Execution
-
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.004Unix Shell -
T1059.009Cloud API -
T1059.013Container CLI/API -
T1204.003Malicious Image -
T1569.003Systemctl -
T1609Container Administration Command -
T1610Deploy Container
Persistence
-
T1098.004SSH Authorized Keys -
T1133External Remote Services -
T1136.001Local Account -
T1543.002Systemd Service -
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1611Escape to Host
Stealth
-
T1014Rootkit -
T1027.002Software Packing -
T1027.013Encrypted/Encoded File -
T1036Masquerading -
T1036.005Match Legitimate Resource Name or Location -
T1070.003Clear Command History -
T1070.004File Deletion -
T1140Deobfuscate/Decode Files or Information
Defense Impairment
-
T1222.002Linux and Mac Permissions -
T1685Disable or Modify Tools -
T1685.006Clear Linux or Mac System Logs -
T1686Disable or Modify System Firewall
Credential Access
-
T1552.001Credentials In Files -
T1552.004Private Keys -
T1552.005Cloud Instance Metadata API
Discovery
-
T1007System Service Discovery -
T1016System Network Configuration Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1120Peripheral Device Discovery -
T1518.001Security Software Discovery -
T1613Container and Resource Discovery -
T1680Local Storage Discovery
Lateral Movement
-
T1021.004SSH
Collection
-
T1074.001Local Data Staging
Command and Control
-
T1071Application Layer Protocol -
T1071.001Web Protocols -
T1102Web Service -
T1105Ingress Tool Transfer -
T1219Remote Access Tools
Exfiltration
Impact
-
T1496.001Compute Hijacking
Tools & malware (4)
Peirates · MimiPenguin · LaZagne · Hildegard
Reporting (3)
- TeamTNT with new campaign aka Chimaera — AT&T Alien Labs
- TeamTNT Cryptomining Explosion — Intezer
- Taking TeamTNT's Docker Images Offline — Stroud, J