Team TNT

 







Overview

Team TNT is a threat group known for targeting the cloud and container environment globally. They leverage the cloud and container resources and deploy the cryptocurrency miners in the environments of the victim. The group has been active since 2019 and announced it was quitting in 2021. However, it seems that either they have reappeared or a copycat group, named WatchDog, is imitating their routine.

Tactics & Techniques

Team TNT has use Tsunami Malware as a part of their tactics and techniques. It is a botnet that specifically targets Linux systems. It has the ability to connect wit Command and Control (C2) server vis Internet Relay Chat (IRC) protocol. The server controls the botnet and issues commands to the infected systems. It operates (C2) via IRC channels, functioning like chat rooms on the IRC network. Every infected system join a specific channel on IRC server, and waits for commands.

The instruction command might include downloading additional malware or performing other malicious activities, transforming the infected system into a backdoor for various malicious purposes. 

Hence, the features of Tsunami includes successfully hiding its processes and files to avoid detection, automatically reconnect to the C2 server if the connection is lost, and maintaining control over the compromised system. 

Conclusion

Team TNT follows a series of actions to deploy the cryptocurrency miners. However, some other other group is mimicking its attributes to attack the systems globally. Team TNT already announced that it was quitting, so WatchDog might be behind the recent campaigns using the name of Team TNT or some other cybercriminal group is taking advantage of their quitting announcement. However, the fact that Team TNT might have actually returned should not be ignored completely. 


























































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)