SYMBOLCOMMON_NAMEaka. SYNONYMS

TeamTNT  (Back to overview)


In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. They're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware. TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.


Associated Families

There are currently no families associated with this actor.


References
2021-02-20MalpediaMalpedia
@online{malpedia:20210220:malpedia:db1282e, author = {Malpedia}, title = {{Malpedia Website for Malware Family Team TNT}}, date = {2021-02-20}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt}, language = {English}, urldate = {2021-03-12} } Malpedia Website for Malware Family Team TNT
TeamTNT TeamTNT
2021-02-17AquasecAssaf Morag
@online{morag:20210217:threat:b99a6f4, author = {Assaf Morag}, title = {{Threat Alert: TeamTNT Pwn Campaign Against Docker and K8s Environments}}, date = {2021-02-17}, organization = {Aquasec}, url = {https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment}, language = {English}, urldate = {2021-02-20} } Threat Alert: TeamTNT Pwn Campaign Against Docker and K8s Environments
TeamTNT TeamTNT
2021-02-14CywareCyware
@online{cyware:20210214:hildegard:580418b, author = {Cyware}, title = {{Hildegard: TeamTNT’s New Feature-Rich Malware Targeting Kubernetes}}, date = {2021-02-14}, organization = {Cyware}, url = {https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45}, language = {English}, urldate = {2021-03-12} } Hildegard: TeamTNT’s New Feature-Rich Malware Targeting Kubernetes
TeamTNT
2021-02-03Palo Alto Networks Unit 42Jay Chen, Aviv Sasson, Ariel Zelivansky
@online{chen:20210203:hildegard:f3ca3bc, author = {Jay Chen and Aviv Sasson and Ariel Zelivansky}, title = {{Hildegard: New TeamTNT Malware Targeting Kubernetes}}, date = {2021-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/}, language = {English}, urldate = {2021-02-04} } Hildegard: New TeamTNT Malware Targeting Kubernetes
TeamTNT TeamTNT
2021-01-27AT&TOfer Caspi
@online{caspi:20210127:teamtnt:8ebf267, author = {Ofer Caspi}, title = {{TeamTNT delivers malware with new detection evasion tool}}, date = {2021-01-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool}, language = {English}, urldate = {2021-01-27} } TeamTNT delivers malware with new detection evasion tool
TeamTNT TeamTNT
2021-01-05Lacework LabsLacework Labs
@online{labs:20210105:teamtnt:8508ba0, author = {Lacework Labs}, title = {{TeamTNT Builds Botnet from Chinese Cloud Servers}}, date = {2021-01-05}, organization = {Lacework Labs}, url = {https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/}, language = {English}, urldate = {2021-03-12} } TeamTNT Builds Botnet from Chinese Cloud Servers
TeamTNT TNTbotinger TeamTNT
2020-12-21IntezerIntezer
@online{intezer:20201221:top:9529707, author = {Intezer}, title = {{Top Linux Cloud Threats of 2020}}, date = {2020-12-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/}, language = {English}, urldate = {2020-12-26} } Top Linux Cloud Threats of 2020
AgeLocker Anchor_DNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT
2020-12-18Trend MicroDavid Fiser
@online{fiser:20201218:teamtnt:3d5abe1, author = {David Fiser}, title = {{TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html}, language = {English}, urldate = {2020-12-23} } TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger
PerlBot TNTbotinger TeamTNT
2020-08-17Cado SecurityChris Doman
@online{doman:20200817:team:01dd484, author = {Chris Doman}, title = {{Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials}, language = {English}, urldate = {2021-03-12} } Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials
TeamTNT TeamTNT

Credits: MISP Project