top of page
Search

TeamTNT suspected to be behind new Monero cryptocurrency malware



The cryptojacking group known as TeamTNT is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems, according to Cado Security. The early phase of the attack chain involved the use of a cryptocurrency miner, which the cloud security firm suspected was deployed as a decoy to conceal the detection of data exfiltration. TeamTNT, active since at least 2019, has been documented to repeatedly strike cloud and container environments to deploy cryptocurrency miners. It's also known to unleash a crypto mining worm capable of stealing AWS credentials. While the threat actor willingly shut down their operations in November 2021, cloud security firm Aqua disclosed in September 2022 a fresh set of attacks mounted by the group targeting misconfigured Docker and Redis instances. That said, there are also indications that rival crews such as WatchDog might be mimicking TeamTNT's tactics, techniques, and procedures (TTPs) to foil attribution efforts. This new sample of malware was found by Cado Security after Sysdig detailed a sophisticated attack known as SCARLETEEL. This new attack is aimed at containerized environments and is used to ultimately steal proprietary data and software. The sample of the malware was uploaded to VirusTotal late last month. It has been revealed that the artifact "bear[s] several syntactic and semantic similarities to prior TeamTNT payloads, and includes a wallet ID that has previously been attributed to them." TeamTNT has been active since 2019 and is known for repeatedly striking cloud and container environments to deploy cryptocurrency miners. The group is also known to unleash a crypto mining worm that is capable of stealing AWS credentials. The threat actor willingly shut down their operations in November 2021. However, in September 2022, cloud security firm Aqua disclosed a fresh set of attacks that were mounted by the group. These new attacks targeted misconfigured Docker and Redis instances. There are indications that rival crews, such as WatchDog, might be mimicking TeamTNT's tactics, techniques, and procedures (TTPs) to foil attribution efforts.

Comments


bottom of page