Research Saturday 11.13.21
Ep 209 | 11.13.21

A glimpse into TeamTNT.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Tara Gould: I discovered some Docker images, a Docker repo that contained twenty-five Docker images, and from that, that's where I find this repo.

Dave Bittner: That's Tara Gould. She's a senior intelligence researcher at Anomali. The research we're discussing today is titled, "Inside TeamTNT's Impressive Arsenal: A Look Into a TeamTNT server."

Tara Gould: So, TeamTNT are, you know, pretty – who are all in a group at the moment in the sense that they are targeting cloud environments, which is where the sort of future of everything tech is really going towards. So, I was interested in them from that perspective. Also interested in sort of their, you know, how they sort of differentiate themselves from other groups in the sense that they are quite interested in sort of self-promotion. You know, they don't shy away from essentially, like, self-attribution. You know, they will proudly state what is theirs, what they are doing. So it started as an interest. I knew that they were targeting sort of WeaveWorks WeaveScope. Based on that, I discovered some Docker images, a Docker repo that contained twenty-five Docker images. And from that, that's where I find this repo.

Dave Bittner: Well, before we dig into some of the specifics here, I mean, what are some of the other details about TeamTNT? What do we know about them?

Tara Gould: We know that they are German-speaking. They say that they're in Germany, and by all accounts, that does appear to be true. They also are an interesting group in the sense that, you know, other groups, you may think that they would say something like that to sort of throw people off the scent, but they are pretty upfront with information about themselves and their tactics and tools. So we know that they're German. They are interested in cryptojacking. They have been about in their current iteration since 2020. There is some research that points to them going back to potentially 2011, and there is some evidence supporting some possible iteration of them being about in some form for quite a number of years, possibly like eight or nine years.

Dave Bittner: Well, let's dig into this specific research here. What exactly is it that you all found?

Tara Gould: So, what we found was a TeamTNT repo that was sitting open to directory listing, which meant that we were able to find various folders that hosted large amounts of scripts, binaries, cryptominers, source code, stolen credentials, rootkits, metadata, tools, logs, and pretty much everything that would be used in one of their campaigns, and also artifacts from other campaigns

Dave Bittner: Well, let's dig into some of the details here. I mean, you found a variety of different things. Can we go through them together and can you describe to us each sort of individual aspect to what it is that you discovered?

Tara Gould: Yep. So, this was – the /cmd/ folder, commands and stuff – this contained about fifty scripts. Now, a lot of these, you know, they've already been written about, they've been used in previous campaigns. It is nothing new, but that contained, you know, AWS credential stealers, Diamorphine rootkit, IP scanners, Mountsploit, scripts to set up utils, miners, and then they also have scripts that remove previous miners.

Dave Bittner: Do any of the scripts stand out in particular? Is there anything that's interesting or clever and the things that you found?

Tara Gould: Yeah. So, the mentions of Kubernetes is interesting as they appear to be sort of pivoting towards Kubernetes. Interesting for a number of reasons, as obviously, you know, the use of it is increasing. And again, it's a more sort of future-looking way of attacking, as opposed to sort of more old-school traditional, which would be like a doc file, macros, and sort of like Windows malware.

Dave Bittner: Well, let's dig into some of the binaries, then. What did you find there?

Tara Gould: Yep. So, another folder was the /bin/ folder. This contained a number of binaries. And again, a lot of these have been used by TeamTNT in the past. Another thing notable about TeamTNT is they do tend to watermark all of their malware, again, like somebody else could hypothetically do. But in terms of attribution, it does appear to be very clear that it is them. So the binaries included Tsunami backdoor, XMRig cryptominer. So, these – the cryptominers are pretty common with TeamTNT, as cryptojacking seems to be sort of their main focus. And then this folder also contained various utilities that they will use in carrying out their activities. So, some of these are like pentesting tools and, like, IP scanners.

Dave Bittner: And then one of the other things you explored here was some of the metadata. What was revealed here?Tara Gould: This folder, the metadata folder was very interesting. From what I can see, it appears to contain the stolen – so, I have to assume these are from previous TeamTNT campaigns, and contains lists of stolen AWS credentials, lists of S3 buckets. And there was some other credential files – in particular, the one that I noticed that was interesting was an ngrok credential file. That had a name attached to it. It's difficult to tell where exactly that came from, why there was just that single one, and it's unclear whether this was a victim or not. That's all I can really say on that without saying too much.

Dave Bittner: Yeah, it's sort of fascinating, as I was reading through your research here, as you kind of mentioned at the outset that, well, a couple of things about TeamTNT. I mean, first of all, I think it's fair to say that we don't really hear of a lot of threat groups coming out of Germany. That's interesting in itself. But then also, as you say, just how they're willing to hang their name on so many things, I mean, you know, the fact that they're coming from – if indeed they are from Germany, which, you know, we have a good relationship with when it comes to law enforcement – the fact that they're bragging about their efforts here, that's interesting as well.

Tara Gould: Yeah, it is very interesting. So, it could be a multitude of reasons for it. Maybe they're happy to, you know, sort of take the glory from it, if you will, because they haven't been caught yet. And you know, it's possible that they have been doing this for a number of years and, you know, could be sort of cocky about it. But it is interesting and it is, you know, a differentiator compared to other groups.

Tara Gould: There's also the aspect, like, if you look at it sort of from like a developer aspect, you know, like they're putting time and effort into creating these, like, you know, they are, I guess you would call them a successful threat group. So, you know, maybe they just want the sort of glory to go along with it. They want stuff that is theirs to be credited to them. They do frequently go after sort of either like researchers or companies that are putting out research that are attributing stuff to them that isn't them. They will come out and say, like, this is not TeamTNT, which is another interesting part. They're very willing in saying what is them and what's not.

Dave Bittner: Do you have any notion – I mean, the very fact that you are able to see inside this directory their own infrastructure here – do we suspect that that was intentional on their part, or may have been just a little bit of sloppiness?

Tara Gould: That is the really interesting question. So, after this was published on Twitter, they claimed that it was done intentionally, which, you know, it very well could have been. They said that it was done intentionally to sort of burn all of what they had and to move on to the next round of campaigns. Whether that's true or not, it's really hard to decipher. Ironically, they tweeted the other day a picture that was like, humans are often more stupid than they realize, possibly that, you know, they've just got a little bit careless. But it would surprise me, like they, you know, they're clearly technical, smart, whatever. So it would make sense it was done intentionally, but again, like, you never know. Like, we're all humans, sometimes just, you know, sort of overlook stuff. That's another part that is really interesting about this.

Dave Bittner: And so, based on the information that you all have gathered here, what are your recommendations for folks to best protect themselves?

Tara Gould: Yeah, so making sure security groups are configured properly, making sure that people's configurations are done correctly. On a lot of the default configs you can't rely on. Keeping up-to-date with vulnerabilities is another one. And also monitoring and blocking malicious traffic.Dave Bittner: Our thanks to Tara Gould from Anomali for joining us. The research is titled, "Inside TeamTNT's Impressive Arsenal: A Look Into a TeamTNT Server." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.