TeamTNT Target Multiple OS in New Chimaera Campaign
TeamTNT malware group have a bunch of new tools with multiple shell/batch scripts, open-source tools, a cryptocurrency miner, an IRC and more. They have infected more than 5,000 systems with their newest tools. The group is targeting multiple operating systems and applications with its new kit. According to Alien Labs, infection statistics on the command-and-control server used in Chimaera suggest that TeamTNT has been running the campaign for almost 2 months.
for the most part, antivirus tools can't detect the malware yet. Because of this, the Chimaera campaign has gone unimpeded as it infiltrats victims' networks, using its new, open-source tools to steal usernames and passwords from infected machines and target a range of operating systems. Alien Labs stated that the Chimaera campaign has a similar focus to older TeamTNT campaigns. They steal cloud systems' credentials, using infected systems for cryptocurrency mining, and use victims' machines to search and spread to other systems.
TeamTNT uses open-source tools to infect machines. In January, it was using the detection-evasion tool libprocesshider to hide its malware under Linux by using the ld preloader. The Chimera campaign uses Masscan and port scanner to search for new infection candidates. It also uses libprocesshider to execute their bot directly from memory. It also uses LaZagne, an open-source application used to retrieve passwords from multiple apps and multiple web operating systems that are stored on a local computer, including from Chrome, Firefox, Wi-Fi, OpenSSH, and various database programs. TeamTNT has also added the open-source Kubernetes and the cloud-penetration toolset Peirates to its reconnaissance operations. With these tools available, TeamTNT are more capable of gathering enough information in target AWS and Google Cloud environments to perform additional tasks. This could cause more lateral movement and potential privilege-escalation attacks that could allow TeamTNT to acquire administrative access to an organization's entire cloud environment.
The group has been active since 2011, but it started picking up last year. In April 2020, TeamTNT launched a phishing campaign that used COVID-19 terms as a lure. A month later, the group targeted vulnerable Docker containers to plant cryptocurrency miners. TeamTNT is known for targeting Amazon Web Services credentials, which the group uses to break into cloud instances to mine Monero cryptocurrency. They achieve full takeover of cloud instances using a legitimate tool called Weave Scope to establish fileless backdoors on targeted Docker and Kubernetes clusters. TeamTNT also keeps adding new features to their techniques. For example, in October 2020, they deployed the new Black-T cryptojacking malware to target their competitor's XMR mining tools. The group has gone so far as to brag about their exploits by publishing their infection rates on their site.