Security researchers have found new evidence from TeamtNT activity that goes back to 2023, despite a general conviction that the group “evaporated” in 2022.
Teamtnt was a productive threat actor who is known for cryptojacking attacks, which use the IT resources of victims to dismiss illegally for cryptocurrency.
The likely German-speaking actor first emerged in 2019 and became notorious because of his “home-brewed malware using an extensive toolkit from Shell scripts and malignant binaries,” says Group-IB.
It would focus on vulnerable public examples of Redis, Kubernetes and Docker, the stealing of references and installing backdoors in his cryptojacking campaigns.
Read more about Teamtnt: experts warn of threatening Teamtnt Docker -attacks
Published yesterday, the latest report from Group-IB has overlaped TeamtTntttttttiek, Techniques and Procedures (TTPs) with current campaigns that date from last year.
“The DFIR team of Group-IB identified clear evidence of a new campaign that influences VPS cloud infrastructures based on Centos control systems,” said it.
“The investigation showed that the initial access was achieved via a secure Shell (SSH) Brute Force attack on the assets of the victim, in which the threat actor uploaded a malignant script. Our DFIR -Experts analyzed the script, which, once performed, checks by other mine seams are compromised being compromised.
The malignant script also switches off security functions, removes logs and changes system files, according to the report. It kills all cryptocurrency -mining processes that it discovers, removes Docker -Containers and works to DNS settings to the Google servers.
Group-IB added that the script installs the “Diamorphine” rootkit for stealth and root privileges and used adapted tools to maintain persistence and control.
“It locks the system by changing file characteristics, creating a backdoor user with root access and erasing the assignment history to hide his activities,” said Group-IB.
“The entire analysis underlines the advanced skills of Teamtnt in automating its attacks and considering any aspect and detail, of initial access to the prevention of recovery attempts, aimed at inflicting significant damage to the victim.”