Description
[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)
Techniques Used (TTPs)
- T1133 — External Remote Services (persistence, initial-access)
- T1219 — Remote Access Tools (command-and-control)
- T1569.003 — Systemctl (execution)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1222.002 — Linux and Mac File and Directory Permissions Modification (defense-evasion)
- T1070.004 — File Deletion (defense-evasion)
- T1609 — Container Administration Command (execution)
- T1059.004 — Unix Shell (execution)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1543.002 — Systemd Service (persistence, privilege-escalation)
- T1136.001 — Local Account (persistence)
- T1007 — System Service Discovery (discovery)
- T1049 — System Network Connections Discovery (discovery)
- T1562.004 — Disable or Modify System Firewall (defense-evasion)
- T1543.003 — Windows Service (persistence, privilege-escalation)
- T1608.001 — Upload Malware (resource-development)
- T1059.003 — Windows Command Shell (execution)
- T1610 — Deploy Container (defense-evasion, execution)
- T1613 — Container and Resource Discovery (discovery)
- T1048 — Exfiltration Over Alternative Protocol (exfiltration)
- T1057 — Process Discovery (discovery)
- T1059.001 — PowerShell (execution)
- T1552.005 — Cloud Instance Metadata API (credential-access)
- T1070.003 — Clear Command History (defense-evasion)
- T1074.001 — Local Data Staging (collection)
- T1595.002 — Vulnerability Scanning (reconnaissance)
- T1027.002 — Software Packing (defense-evasion)
- T1204.003 — Malicious Image (execution)
- T1014 — Rootkit (defense-evasion)
- T1552.004 — Private Keys (credential-access)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1611 — Escape to Host (privilege-escalation)
- T1070.002 — Clear Linux or Mac System Logs (defense-evasion)
- T1595.001 — Scanning IP Blocks (reconnaissance)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1518.001 — Security Software Discovery (discovery)
- T1496.001 — Compute Hijacking (impact)
- T1083 — File and Directory Discovery (discovery)
- T1021.004 — SSH (lateral-movement)
- T1036 — Masquerading (defense-evasion)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1082 — System Information Discovery (discovery)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
- T1016 — System Network Configuration Discovery (discovery)
- T1046 — Network Service Discovery (discovery)
- T1120 — Peripheral Device Discovery (discovery)
- T1071 — Application Layer Protocol (command-and-control)
- T1098.004 — SSH Authorized Keys (persistence, privilege-escalation)
- T1583.001 — Domains (resource-development)
- T1059.009 — Cloud API (execution)
- T1071.001 — Web Protocols (command-and-control)
- T1552.001 — Credentials In Files (credential-access)
- T1587.001 — Malware (resource-development)
- T1102 — Web Service (command-and-control)
Total TTPs: 54
Malware & Tools
Malware: Hildegard
Tools: LaZagne, MimiPenguin, Peirates