<p><em>Authored By: Tara Gould</em></p> <h2>Key Findings</h2> <p>Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT.</p> <p>The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.</p> <p>Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.</p> <p>This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.</p> <h2>Overview</h2> <p>Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials.</p> <p>TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.<sup>[1]</sup> TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.<sup>[2]</sup></p> <h2>Technical Analysis</h2> <h3>Scripts (/cmd/)</h3> <p style="text-align: center;"><em><strong><img alt="Overview of /cmd/" src="https://cdn.filestackcontent.com/x5ePhaV7TCK3jzG3xE43" style="width: 500px;"/><br/> Figure 1</strong> - Overview of /cmd/</em></p> <p>Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following:</p> <ul> <li>AWS Credential Stealer</li> <li>Diamorphine Rootkit</li> <li>IP Scanners</li> <li>Mountsploit</li> <li>Scripts to set up utils</li> <li>Scripts to setup miners</li> <li>Scripts to remove previous miners</li> </ul> <p style="text-align: center;"><em><strong><img alt="Snippet of AWS Credential Stealer Script" src="https://cdn.filestackcontent.com/MeFaXXQqaJJekKSCiedA"/><br/> Figure 2</strong> - Snippet of AWS Credential Stealer Script</em></p> <p>Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server.</p> <p style="text-align: center;"><em><strong><img alt="Chimaera_Kubernetes_root_PayLoad_2.sh" src="https://cdn.filestackcontent.com/Iij8tMPcQAiUvZlfD9pn"/><br/> Figure 3</strong> - Chimaera_Kubernetes_root_PayLoad_2.sh</em></p> <p>Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.</p> <h3>Binaries (/bin/)</h3> <p style="text-align: center;"><em><strong><img alt="Overview of /bin" src="https://cdn.filestackcontent.com/lTPp44zVQWuTalQif8SY" style="width: 390px;"/><br/> Figure 4</strong> - Overview of /bin</em></p> <p>Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations.</p> <p>Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A.</p> <p style="text-align: center;"><em><strong><img alt="Screenshot of TeamTNTbot.c" src="https://cdn.filestackcontent.com/CucqwJOLQweTVxSfRDvg"/><br/> Figure 5</strong> - Screenshot of TeamTNTbot.c</em></p> <p style="text-align: center;"><em><strong><img alt="Bot Commands" src="https://cdn.filestackcontent.com/Q0R8d76qTTWUIIys6B2X"/><br/> Figure 6</strong> - Bot Commands</em></p> <p>Lasty, the /bin/ folder also contains utilities including masscan, ngrok, <a href="https://github.com/inguardians/peirates" target="_blank">peirates</a>, pnscan, wget, zgrab. These utilities will be used to aid in carrying out the malicious activity.</p> <h3>Metadata (/in/)</h3> <p>The folder /in/, shown below in Figure 7, contains interesting data which includes two subfolders, AWS/ and results/. Inside of this folder appears to contain lists of S3 buckets and stolen AWS credentials shown in Figure 8 and Figure 9 below, coming from the scripts mentioned above. A file named “ngrok.authkeys.txt”, shown in Figure 10 below, displays an error of a failure to bind to a TLS tunnel with an account name. Although it is unclear if these are stolen credentials, TeamTNT have previously been reported to scan targets to steal ngrok credentials.<sup>[3]</sup> Two text files, docker_ips.txt and weave_uniq.txt, contain lists of IPs, with the Docker file totaling 13,282 IP addresses. Another file “HoneyPots.txt” contains data referring to 484 Docker containers.</p> <p style="text-align: center;"><em><strong><img alt="Directory of /in/" src="https://cdn.filestackcontent.com/38D22aNwRwGuqTnLn4BA" style="width: 400px;"/><br/> Figure 7</strong> - Directory of /in/</em></p> <p style="text-align: center;"><em><strong><img alt="AWS Stolen Credentials" src="https://cdn.filestackcontent.com/446RVpVQtKpsA0PTn3aB" style="width: 650px;"/><br/> Figure 8</strong> - AWS Stolen Credentials</em></p> <p style="text-align: center;"><em><strong><img alt="Example of Stolen Credentials File" src="https://cdn.filestackcontent.com/jUjmLNNQSGQNpTUt54lr"/><br/> Figure 9</strong> - Example of Stolen Credentials File</em></p> <p style="text-align: center;"><em><strong><img alt="ngrok.authkeys.txt" src="https://cdn.filestackcontent.com/z3xvQ7r5QkG6Y3t3Ja3u" style="width: 490px;"/><br/> Figure 10</strong> - ngrok.authkeys.txt</em></p> <h2>Conclusion</h2> <p>TeamTNT is a highly-active group that continues to evolve and target cloud infrastructure. The discovery of their infrastructure gives insight into their toolsets. It is unknown at this time whether TeamTNT have purposefully left this server open to directory listing, and why. However this is not the first time TeamTNT server has been open, as reported by Unit42 in June 2021.<sup>[4]</sup> Furthermore, the group appears unbothered with having their toolset publicized, and will engage with security researchers on Twitter, even giving recommendations of how the tools should be utilized.<sup>[5]</sup></p> <h2>Endnotes</h2> <p><sup>[1]</sup> “Tracking The Activities of TeamTNT,” Trend Micro, accessed October 5, 2021, published July 20, 2021, https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf.</p> <p><sup>[2]</sup> “TeamTNT With New Campaign Aka “Chimaera”,” accessed October 5, 2021, published September 8, 2021, https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera.</p> <p><sup>[3]</sup> ”TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations,” Palo Alto, accessed October 6, 2021, published June 4, 2021, https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/.</p> <p><sup>[4]</sup> Ibid.</p> <p><sup>[5]</sup> “HildeGard@TeamTNT,” Twitter, accessed October 6, 2021, published September 9, 2021, https://twitter.com/HildeTNT/status/1436026656695672839.</p> <p><sup>[6]</sup> “Malicious Docker Images Still Used For Malicious Purposes,” CounterCraft, accessed October 5, 2021, published September 29, 2021, https://www.countercraftsec.com/blog/post/using-malicious-docker-images-more-teamtnt-docker-abuse/.</p> <h2>IOCs</h2> <h3>Hashes</h3> <table class="table table-striped"> <tbody> <tr> <td>91917fec033047a97a64be297454e6d7</td> <td>./init/r.sh</td> </tr> <tr> <td>644749dda45caedda59f32f7991f0ffd</td> <td>./cmd/grab/aws2.sh</td> </tr> <tr> <td>7756f215ec37b1f545d1d8648a6d78d0</td> <td>./cmd/grab/aws-cloud.sh</td> </tr> <tr> <td>273ef84fbe3d495bff371e64cbf74b36</td> <td>./cmd/grab/aws.sh</td> </tr> <tr> <td>b20ab8eb3c3db7d20cecf44024762bd2</td> <td>./cmd/Setup.User.curl.sh</td> </tr> <tr> <td>1f6353c16d11e0e841129d55dfd9ac74</td> <td>./cmd/Setup_WeaveScope.sh</td> </tr> <tr> <td>fb3346a3cb6add01efade50b53dd211f</td> <td>./cmd/Setup_RainBow_Miner.sh</td> </tr> <tr> <td>ee9c391c98dee5331ac467854f0ae262</td> <td>./cmd/Kubernetes_root_PayLoad_2.2.sh</td> </tr> <tr> <td>bcf76b649b5c6016b4071d197b1ce111</td> <td>./cmd/setup_moneroocean_miner.sh</td> </tr> <tr> <td>7cced044d94a7ac6415598e663b46b26</td> <td>./cmd/Setup_ETH_MinerService.sh</td> </tr> <tr> <td>e85c28315dcdae18ab273775c29cefa7</td> <td>./cmd/gpu/ati.sh</td> </tr> <tr> <td>26870afb9524e1ab2eb396d15a222676</td> <td>./cmd/gpu/nvidia.sh</td> </tr> <tr> <td>27fd3a594fd66f4c113ab1f70a95f82e</td> <td>./cmd/gpu/c3pool_gpu.sh</td> </tr> <tr> <td>a8415b189839b9585193e2b2ec63d6f3</td> <td>./cmd/DockerAPI-SSH-BreakOut.sh</td> </tr> <tr> <td>45fc2131a4e60bb7545a2b1b235d66ef</td> <td>./cmd/Kubernetes_root_PayLoad_1.sh</td> </tr> <tr> <td>f7b90d0f91ed25806d49ca281a7db10c</td> <td>./cmd/init.sh</td> </tr> <tr> <td>940c1c591677efbe91d165751296dddd</td> <td>./cmd/ld.so.preload.sh</td> </tr> <tr> <td>4f476e9ea8aed60e29bf06ffe758f841</td> <td>./cmd/Setup_ETH_Miner.sh</td> </tr> <tr> <td>9ca7f7e428ff5e3dbe943efe8ed0df31</td> <td>./cmd/GRABBER_google-cloud.sh</td> </tr> <tr> <td>e2fcb71452e7e4057d144bd1c525432a</td> <td>./cmd/CLEAN.TeamTNT.sh</td> </tr> <tr> <td>c491a19742c352b2c6221037dfac7a4a</td> <td>./cmd/GRABBER_aws-cloud.sh</td> </tr> <tr> <td>3bfed4e4d3b828c427629f764d65bd57</td> <td>./cmd/setup/all.glib.sh</td> </tr> <tr> <td>66d63fc99fb80c7a1fb67f712582725b</td> <td>./cmd/setup/docker.ethminer.sh</td> </tr> <tr> <td>26870afb9524e1ab2eb396d15a222676</td> <td>./cmd/setup/nvidia.sh</td> </tr> <tr> <td>846b5ff8a0f64b9af3d22157cb437a5c</td> <td>./cmd/setup/all.golang.sh</td> </tr> <tr> <td>701bc6594b2e06952451d266ced2032a</td> <td>./cmd/setup/ngrok.sh</td> </tr> <tr> <td>03c43133db24a7b3f1e8a4d5c268668d</td> <td>./cmd/setup/tmate.sh</td> </tr> <tr> <td>39ea1f63f9ae414c56ab3dc66a7569cd</td> <td>./cmd/setup/apt.zgrab.sh</td> </tr> <tr> <td>64bcf5dc015e53c868950204e2cae3f1</td> <td>./cmd/setup/all.tsh.sh</td> </tr> <tr> <td>779a0bd628b67834116309bf3b3278ed</td> <td>./cmd/setup/docker.sh</td> </tr> <tr> <td>de036084f92920a921bc2a43b82a8149</td> <td>./cmd/Kubernetes_temp_PayLoad_1.sh</td> </tr> <tr> <td>4090469125917070c22203b7d973f52e</td> <td>./cmd/Kubernetes.LAN.IP.Range.sh</td> </tr> <tr> <td>406caa94137d5c1e18b9ee7d5c72d72d</td> <td>./cmd/clean/jupyter.sh</td> </tr> <tr> <td>b62fbf2f2a7859e69deeb75fa1153b41</td> <td>./cmd/clean/TeamTNT.sh</td> </tr> <tr> <td>0d173ab9281f013221a94b4289443a16</td> <td>./cmd/Kubernetes_temp_PayLoad_2.sh</td> </tr> <tr> <td>d88c87f1afb6de12d885fc0fbc33b605</td> <td>./cmd/Kubernetes_scan_LAN_IPs.sh</td> </tr> <tr> <td>a0c7366cd907197702aed089463af482</td> <td>./cmd/install-NVIDIA-driver.sh</td> </tr> <tr> <td>287794e108f3a4b07654ce83f6f41b38</td> <td>./cmd/Kubernetes_root_PayLoad_2.sh</td> </tr> <tr> <td>15d4150a3190e0630a6182a882be5cad</td> <td>./cmd/fix/nameserver.sh</td> </tr> <tr> <td>fd65800ea90386abbdd2b099cb4cdb45</td> <td>./cmd/fix/systemfix.sh</td> </tr> <tr> <td>419c721fd5eb8f740cb1f971af5dc745</td> <td>./cmd/init_main_root.sh</td> </tr> <tr> <td>d2c6d0fed174f4cbb09d1596e46258a6</td> <td>./cmd/MOUNTSPLOIT_V2.sh.txt</td> </tr> <tr> <td>c491a19742c352b2c6221037dfac7a4a</td> <td>./cmd/GRABBER_aws-cloud2.sh</td> </tr> <tr> <td>51a4ba442533bd0d69e0da7dd46e3d9c</td> <td>./cmd/clean.sh</td> </tr> <tr> <td>fefbc41c9514a9a4f4c4e88ead3ebd89</td> <td>./cmd/ssh_user.sh</td> </tr> <tr> <td>3f9466ee106e947a4cea13d57ce96ed1</td> <td>./cmd/exp/ssh.rsa.sh</td> </tr> <tr> <td>fffe69fabf5d014579686d8bc790e70f</td> <td>./cmd/exp/ssh.axx.sh</td> </tr> <tr> <td>80f3f20d5923c3a35022f065da9ea924</td> <td>./cmd/Setup_tmate.sh</td> </tr> <tr> <td>e275c26583f08e6fdbb6045c7b2db647</td> <td>./cmd/CLEAN.other.miners.sh</td> </tr> <tr> <td>68df6dc236a2f8d7231ca362b89148fe</td> <td>./cmd/ssh_user2.sh</td> </tr> <tr> <td>7d91732b7c8feced0ea698c83769e51d</td> <td>./bin/ngrok/aarch64</td> </tr> <tr> <td>0429e95cf9e7f631c944f23f82b89b54</td> <td>./bin/ngrok/x86_64</td> </tr> <tr> <td>5cdd0e39fc9be0a13134f26aba70ede1</td> <td>./bin/golang/go1.12.7.linux-386.tar.gz</td> </tr> <tr> <td>23bad8d12c43fc3e3a0568dbc8f19c85</td> <td>./bin/ethminer/cuda-9-x86_64.tar.gz</td> </tr> <tr> <td>ae929d06265be0310c3f2eb6c44314d7</td> <td>./bin/a.t.b/TeamTNTbot.c</td> </tr> <tr> <td>11d85a39722734273adb7a0b21ac29a6</td> <td>./bin/a.t.b/aarch64</td> </tr> <tr> <td>5e4424e2a11e53e36eb10eff417fd19a</td> <td>./bin/a.t.b/jupyter</td> </tr> <tr> <td>cffb2c0fbb0bb4a98024a682a982199b</td> <td>./bin/a.t.b/x86_64</td> </tr> <tr> <td>2c22a520cd1ed4fc8e249d333724412d</td> <td>./bin/xmrig.tar.gz</td> </tr> <tr> <td>777e1d9b717d339a7582e06ab28d0dd3</td> <td>./bin/bot_root/aarch64</td> </tr> <tr> <td>bdb404a243e374cda8948a5480f263e6</td> <td>./bin/bot_root/x86_64</td> </tr> <tr> <td>d901256374ddd1770270971856bf735a</td> <td>./bin/masscan/x86_64.rpm</td> </tr> <tr> <td>7400bf51827682ec6a43b2d1c0a93eca</td> <td>./bin/masscan/aarch64.rpm</td> </tr> <tr> <td>c1d28488c149ad232ad3073605eeaf35</td> <td>./bin/masscan/aarch64.apk</td> </tr> <tr> <td>ce43c3c74bde98127a91cd0224f1fa26</td> <td>./bin/masscan/masscan.sh</td> </tr> <tr> <td>87b30ac544d39a044b66ef103f36c357</td> <td>./bin/masscan/aarch64</td> </tr> <tr> <td>422385becd4e08062b56f57afbc5ae6b</td> <td>./bin/masscan/x86_64</td> </tr> <tr> <td>d4314256672783e773171fd25ac21f78</td> <td>./bin/pnscan/aarch64.deb</td> </tr> <tr> <td>f7a515b639dc08d8061fa56ffacbecac</td> <td>./bin/pnscan/x86_64.deb</td> </tr> <tr> <td>3102067a3822ff1c3c17999e3e2b602d</td> <td>./bin/pnscan/x86_64.rpm</td> </tr> <tr> <td>db8bc741c40388270bd88cfa1ff2aa41</td> <td>./bin/pnscan/aarch64</td> </tr> <tr> <td>d3ba2c41757b203ad0a12d1028074bbf</td> <td>./bin/pnscan/pnscan.tar.gz</td> </tr> <tr> <td>89d7c2db1f892139ee567d7ae29133a9</td> <td>./bin/pnscan/x86_64</td> </tr> <tr> <td>d3fae6436a45bfbc22fda8bcb66b27c0</td> <td>./bin/zgrab/ppc64le</td> </tr> <tr> <td>79b8b3d73c8e8c4b1f74a48a617690db</td> <td>./bin/zgrab/i386</td> </tr> <tr> <td>d5869c7c642aff3d91839aaa3f4b0671</td> <td>./bin/zgrab/aarch64</td> </tr> <tr> <td>26c8f6597826fbdebb5df4cd8cd34663</td> <td>./bin/zgrab/x86_64</td> </tr> <tr> <td>bc4084451fcf1439a23a081e32a6c532</td> <td>./bin/pei/pei32</td> </tr> <tr> <td>07179295144082d0291759d5cf2d19c2</td> <td>./bin/pei/pei64</td> </tr> <tr> <td>d9dd55f66b3d783864f21684c612b406</td> <td>./bin/tshd/x86_64</td> </tr> <tr> <td>3634fd8b0be6de05eb6df806a4f7b11e</td> <td>./bin/bot/TNT_gpu</td> </tr> <tr> <td>bd703ac4ea6ec7127fc9b8f8ce4d7c1e</td> <td>./bin/bot/SSHSPR</td> </tr> <tr> <td>13e2c82ecd3bfee92c75f30cf0f40cdc</td> <td>./bin/bot/chimaera.cc_Version2.c</td> </tr> <tr> <td>1221631e5fd5628435b6dfef15899fce</td> <td>./bin/bot/chimaera.cc</td> </tr> <tr> <td>73a9c6eaa8afc2b02699f172f294b496</td> <td>./bin/bot/TNT_gpu.c</td> </tr> <tr> <td>29c0f22199b6abb07f5f2a6a6037396b</td> <td>./bin/bot/AWS</td> </tr> <tr> <td>13e2c82ecd3bfee92c75f30cf0f40cdc</td> <td>./bin/bot/chimaera.cc.c</td> </tr> <tr> <td>cd7a98f04de9713b602c314743e5bf55</td> <td>./bin/bot/TeamTNTbot.c</td> </tr> <tr> <td>5718175711512e3fb20f5cf556c57924</td> <td>./bin/src/scope</td> </tr> <tr> <td>677000fb99bf02e3c477a4349df76319</td> <td>./bin/src/log_clean.c</td> </tr> <tr> <td>068f3a272598e55dc02382818f4de70e</td> <td>./bin/src/master.zip</td> </tr> <tr> <td>b767837f26b23ec978c1c8b42f9457a1</td> <td>./bin/src/rbm.zip</td> </tr> <tr> <td>3c61212d7bfb2c27834bb1d36c389273</td> <td>./bin/src/tsh.tar.gz</td> </tr> <tr> <td>7950de1f8f013cf3bf2c4eaa8ff4a3e5</td> <td>./bin/src/bash.tar.gz</td> </tr> <tr> <td>1dc06ba731199951436705f4969e5b4e</td> <td>./bin/src/dia/Makefile</td> </tr> <tr> <td>8ab4cecc4fbf10a1de46a5f0823e0a94</td> <td>./bin/src/dia/chimaeraxmr.h</td> </tr> <tr> <td>7d4ee4e30088c680b9a50e3924ecce20</td> <td>./bin/src/dia/chimaeraxmr.c</td> </tr> <tr> <td>b62ce36054a7e024376b98df7911a5a7</td> <td>./bin/src/xmrig.so</td> </tr> <tr> <td>4b05c9ad17a82104dba978ab68cec49a</td> <td>./bin/src/chimaeraxmr.tar.gz</td> </tr> <tr> <td>1254351aa752d5876ad225243bed69a8</td> <td>./CHIMAERA/bin/xmrigCC/kuben3.tar.gz</td> </tr> </tbody> </table> <h3>Network</h3> <p>45.9.148.182<br/> 45.9.148.182/cmd<br/> 45.9.148.182/CHIMAERA<br/> 45.9.148.182/bin<br/> 45.9.148.182/in<br/> 45.9.148.182/init<br/> 51.79.226.64<br/> 85.214.149.236 (appears to have been compromised)</p> <h2>MITRE ATT&CK TTPs</h2> <table class="table table-striped"> <tbody> <tr> <td>Technique</td> <td>ID</td> <td>Name</td> </tr> <tr> <td>Execution</td> <td>T1059.004</td> <td>Command and Scripting Interpreter: Unix</td> </tr> <tr> <td> </td> <td>T1609</td> <td>Container Administration Command</td> </tr> <tr> <td>Defense Evasion</td> <td>T1140</td> <td>Deobfuscate/Decode Files or Information</td> </tr> <tr> <td> </td> <td>T1070.003</td> <td>Indicator Removal on Host: Clear Command History</td> </tr> <tr> <td> </td> <td>T1070.004</td> <td>Indicator Removal on Host: File Deletion</td> </tr> <tr> <td> </td> <td>T1027</td> <td>Obfuscated Files or Information</td> </tr> <tr> <td> </td> <td>T1027.002</td> <td>Obfuscated Files or Information: Software Packing</td> </tr> <tr> <td> </td> <td>T1036.005</td> <td>Masquerading: Match Legitimate Names or Locations</td> </tr> <tr> <td>Credential Access</td> <td>T1552.001</td> <td>Unsecured Credentials: Credentials In Files</td> </tr> <tr> <td> </td> <td>T1552.004</td> <td>Unsecured Credentials: Private Keys</td> </tr> <tr> <td> </td> <td>T1552.005</td> <td>Unsecured Credentials: Instance Metadata API</td> </tr> <tr> <td>Discovery</td> <td>T1046</td> <td>Network Service Scanning</td> </tr> <tr> <td> </td> <td>T1082</td> <td>System Information Discovery</td> </tr> <tr> <td>Command and Control</td> <td>T1071</td> <td>Application Layer Protocol</td> </tr> <tr> <td> </td> <td>T1105</td> <td>Ingress Tool Transfer</td> </tr> <tr> <td> </td> <td>T1219</td> <td>Remote Access Software</td> </tr> <tr> <td> </td> <td>T1102</td> <td>Web Service</td> </tr> <tr> <td>Impact</td> <td>T1496</td> <td>Resource Hijacking</td> </tr> </tbody> </table> <h2>Appendix A</h2> <h3>Docker Images</h3> <p>TeamTNT are also hosting malicious docker images on a Docker repo named “alpineos”. The account contains 25 images, which includes XMRig, a reverse shell, moneroocean, kubepwn, and TeamTNTbot builder. In some of these images the scripts are reaching out to the scripts described above. In September 2021, CounterCraft released research on the “alpinos/dockerapi” image.<sup>[6]</sup></p> <p style="text-align: center;"><em><strong><img alt="TeamTNT Docker Repo" src="https://cdn.filestackcontent.com/HUvxwbk6QIunYpszlYSl"/><br/> Figure 11</strong> - TeamTNT Docker Repo</em></p> <table class="table table-striped"> <tbody> <tr> <td>Docker Image</td> </tr> <tr> <td>alpineos/dockerapi</td> </tr> <tr> <td>alpineos/wscopescan</td> </tr> <tr> <td>alpineos/dsbo</td> </tr> <tr> <td>alpineos/xxcrace</td> </tr> <tr> <td>alpineos/firstt</td> </tr> <tr> <td>alpineos/scopeppc64le</td> </tr> <tr> <td>alpineos/tntxmrigbuilder</td> </tr> <tr> <td>alpineos/simpledockerxmr</td> </tr> <tr> <td>alpineos/ttdft</td> </tr> <tr> <td>alpineos/tntbotbuilder</td> </tr> <tr> <td>alpineos/minion</td> </tr> <tr> <td>alpineos/xmrigcc</td> </tr> <tr> <td>alpineos/fluxfaxpax</td> </tr> <tr> <td>alpineos/scopeaarch64</td> </tr> <tr> <td>alpineos/scanaround</td> </tr> <tr> <td>alpineos/kirito</td> </tr> <tr> <td>alpineos/kndb</td> </tr> <tr> <td>alpineos/jupyter</td> </tr> <tr> <td>alpineos/java</td> </tr> <tr> <td>alpineos/revs</td> </tr> <tr> <td>alpineos/lftk</td> </tr> <tr> <td>alpineos/basicxmr</td> </tr> <tr> <td>alpineos/lft</td> </tr> <tr> <td>alpineos/weavescope</td> </tr> </tbody> </table> <h2>Appendix B</h2> <p>Source code available for <a href="https://gist.github.com/tgould0/87b21ece2f5e39229f35ee045f733b15" target="_blank">TeamTNTBot.c</a>, <a href="https://gist.github.com/tgould0/d208f27c0ad17ae5db7bd12a08812c03#file-chimaera-cc_version2-c" target="_blank">chimaera.cc_Version2.c</a>, and <a href="https://gist.github.com/tgould0/068077771d835eb667b71d9d7da997f0" target="_blank">TNT_GPU.c</a>.</p>
Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox
Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.