SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.teamtnt (Back to overview)

TeamTNT


Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:thief:907b1b4, author = {Unit 42}, title = {{Thief Libr}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/thieflibra/}, language = {English}, urldate = {2022-07-29} } Thief Libr
TeamTNT Watchdog
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:adept:6318e92, author = {Unit 42}, title = {{Adept Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/adept-libra/}, language = {English}, urldate = {2022-07-25} } Adept Libra
TeamTNT TeamTNT
2022-03-02CyberArkCyberArk Labs
@online{labs:20220302:conti:52c16db, author = {CyberArk Labs}, title = {{Conti Group Leaked!}}, date = {2022-03-02}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked}, language = {English}, urldate = {2022-03-03} } Conti Group Leaked!
TeamTNT Conti TrickBot
2022-02-18IntezerIntezer
@online{intezer:20220218:teamtnt:354772f, author = {Intezer}, title = {{TeamTNT Cryptomining Explosion}}, date = {2022-02-18}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/}, language = {English}, urldate = {2022-02-26} } TeamTNT Cryptomining Explosion
TeamTNT
2022-02-09vmwareVMWare
@techreport{vmware:20220209:exposing:7b5f76e, author = {VMWare}, title = {{Exposing Malware in Linux-Based Multi-Cloud Environments}}, date = {2022-02-09}, institution = {vmware}, url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf}, language = {English}, urldate = {2022-02-10} } Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike
2022Toli SecurityToli Security
@online{security:2022:active:4c1170d, author = {Toli Security}, title = {{Active crypto-mining operation by TeamTNT}}, date = {2022}, organization = {Toli Security}, url = {https://tolisec.com/active-crypto-mining-operation-by-teamtnt/}, language = {English}, urldate = {2022-04-15} } Active crypto-mining operation by TeamTNT
TeamTNT
2021-12-07sysdigAlberto Pellitteri
@online{pellitteri:20211207:threat:1b9039a, author = {Alberto Pellitteri}, title = {{Threat news: TeamTNT stealing credentials using EC2 Instance Metadata}}, date = {2021-12-07}, organization = {sysdig}, url = {https://sysdig.com/blog/teamtnt-aws-credentials/}, language = {English}, urldate = {2021-12-08} } Threat news: TeamTNT stealing credentials using EC2 Instance Metadata
TeamTNT
2021-12-01Trend MicroTrend Micro Research
@online{research:20211201:analyzing:18167cf, author = {Trend Micro Research}, title = {{Analyzing How TeamTNT Used Compromised Docker Hub Accounts}}, date = {2021-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html}, language = {English}, urldate = {2021-12-07} } Analyzing How TeamTNT Used Compromised Docker Hub Accounts
TeamTNT
2021-11-03Trend MicroDavid Fiser, Alfredo Oliveira
@online{fiser:20211103:teamtnt:180af48, author = {David Fiser and Alfredo Oliveira}, title = {{TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments}}, date = {2021-11-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html}, language = {English}, urldate = {2021-11-08} } TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments
TeamTNT
2021-10-07UptycsSiddharth Sharma
@online{sharma:20211007:team:50e3c4d, author = {Siddharth Sharma}, title = {{Team TNT Deploys Malicious Docker Image On Docker Hub}}, date = {2021-10-07}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools}, language = {English}, urldate = {2021-10-11} } Team TNT Deploys Malicious Docker Image On Docker Hub
TeamTNT
2021-10-06AnomaliTara Gould
@online{gould:20211006:inside:9391014, author = {Tara Gould}, title = {{Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server}}, date = {2021-10-06}, organization = {Anomali}, url = {https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server}, language = {English}, urldate = {2021-10-11} } Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server
TeamTNT
2021-09-14Cado SecurityCado Security
@online{security:20210914:teamtnt:bdb30cc, author = {Cado Security}, title = {{TeamTNT Script Employed to Grab AWS Credentials}}, date = {2021-09-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/}, language = {English}, urldate = {2021-09-19} } TeamTNT Script Employed to Grab AWS Credentials
TeamTNT Tsunami
2021-09-08AT&TOfer Caspi
@online{caspi:20210908:teamtnt:f9ad39d, author = {Ofer Caspi}, title = {{TeamTNT with new campaign aka “Chimaera”}}, date = {2021-09-08}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera}, language = {English}, urldate = {2021-09-10} } TeamTNT with new campaign aka “Chimaera”
TeamTNT
2021-09IntezerIntezer
@techreport{intezer:202109:teamtnt:425ab21, author = {Intezer}, title = {{TeamTNT: Cryptomining Explosion}}, date = {2021-09}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf}, language = {English}, urldate = {2021-09-19} } TeamTNT: Cryptomining Explosion
TeamTNT Tsunami
2021-07-20Trend MicroDavid Fiser, Alfredo Oliveira
@techreport{fiser:20210720:tracking:9085bb7, author = {David Fiser and Alfredo Oliveira}, title = {{Tracking the Activities of TeamTNT: A Closer Look at a Cloud-Focused Malicious Actor Group}}, date = {2021-07-20}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf}, language = {English}, urldate = {2021-07-26} } Tracking the Activities of TeamTNT: A Closer Look at a Cloud-Focused Malicious Actor Group
TeamTNT
2021-02-20MalpediaMalpedia
@online{malpedia:20210220:malpedia:db1282e, author = {Malpedia}, title = {{Malpedia Website for Malware Family Team TNT}}, date = {2021-02-20}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt}, language = {English}, urldate = {2021-03-12} } Malpedia Website for Malware Family Team TNT
TeamTNT TeamTNT
2021-02-17AquasecAssaf Morag
@online{morag:20210217:threat:b99a6f4, author = {Assaf Morag}, title = {{Threat Alert: TeamTNT Pwn Campaign Against Docker and K8s Environments}}, date = {2021-02-17}, organization = {Aquasec}, url = {https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment}, language = {English}, urldate = {2021-02-20} } Threat Alert: TeamTNT Pwn Campaign Against Docker and K8s Environments
TeamTNT TeamTNT
2021-02-03Palo Alto Networks Unit 42Jay Chen, Aviv Sasson, Ariel Zelivansky
@online{chen:20210203:hildegard:f3ca3bc, author = {Jay Chen and Aviv Sasson and Ariel Zelivansky}, title = {{Hildegard: New TeamTNT Malware Targeting Kubernetes}}, date = {2021-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/}, language = {English}, urldate = {2021-02-04} } Hildegard: New TeamTNT Malware Targeting Kubernetes
TeamTNT TeamTNT
2021-01-27AT&TOfer Caspi
@online{caspi:20210127:teamtnt:8ebf267, author = {Ofer Caspi}, title = {{TeamTNT delivers malware with new detection evasion tool}}, date = {2021-01-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool}, language = {English}, urldate = {2021-01-27} } TeamTNT delivers malware with new detection evasion tool
TeamTNT TeamTNT
2021-01-05Lacework LabsLacework Labs
@online{labs:20210105:teamtnt:8508ba0, author = {Lacework Labs}, title = {{TeamTNT Builds Botnet from Chinese Cloud Servers}}, date = {2021-01-05}, organization = {Lacework Labs}, url = {https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/}, language = {English}, urldate = {2021-03-12} } TeamTNT Builds Botnet from Chinese Cloud Servers
TeamTNT TNTbotinger TeamTNT
2020-12-21IntezerIntezer
@online{intezer:20201221:top:9529707, author = {Intezer}, title = {{Top Linux Cloud Threats of 2020}}, date = {2020-12-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/}, language = {English}, urldate = {2020-12-26} } Top Linux Cloud Threats of 2020
AgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT
2020-08-17Cado SecurityChris Doman
@online{doman:20200817:team:01dd484, author = {Chris Doman}, title = {{Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials}, language = {English}, urldate = {2021-03-12} } Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials
TeamTNT TeamTNT
2020-08-17Cado SecurityChris Doman, James Campbell
@online{doman:20200817:team:a654242, author = {Chris Doman and James Campbell}, title = {{Team TNT - The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/}, language = {English}, urldate = {2020-08-19} } Team TNT - The First Crypto-Mining Worm to Steal AWS Credentials
TeamTNT

There is no Yara-Signature yet.