TeamTNT

TeamTNT is a prominent threat actor known for executing sophisticated attacks with malicious intent, primarily focusing on cryptojacking - the unauthorized use of victims' IT resources to mine cryptocurrency. The group's Hildegard malware has been identified as one of the most complex attacks targeting Kubernetes, demonstrating TeamTNT’s advanced skills in automating its attacks and meticulous planning from initial access to preventing recovery attempts. The group's Docker Gatling Gun Campaign illustrates their intent to cause significant damage to their victims. Despite beliefs that the group "evaporated" in 2022, new evidence suggests continued activity into 2023. The P2PInfect worm's unique infection vector, exploiting Redis through CVE-2022-0543, sets it apart from other cryptojacking-focused worms known to target Redis instances, such as those created by Adept Libra (aka TeamTNT), Thief Libra (aka WatchDog) threat actors, or ones delivering Money Libra (aka Kinsing) variants. This tactic, along with others used by the attackers, indicates a new campaign from TeamTNT, referred to as the Hildegard campaign, named after the tmate account username used by the malware. An overlap of TeamTNT tactics, techniques, and procedures (TTPs) with ongoing campaigns dating back to last year was revealed in Group-IB’s latest report. Despite challenges in attribution, similarities in shell script payloads hint at potential connections to previous cloud attacks by threat actors like TeamTNT, WatchDog, and the Kiss a Dog campaign. For instance, cloud security company Sysdig found that TeamTNT mined over $8,100 worth of cryptocurrency from hijacked cloud infrastructure, costing their victims more than $430,000. In 2023, SentinelOne and Aqua Security studied a TeamTNT cryptojacking campaign that targeted Google Cloud, Microsoft Azure, and Amazon Web Services (AWS), further underscoring the group's significant threat to cloud infrastructures.