Today > | 9 High | 16 Medium vulnerabilities   -   You can now download lists of IOCs here!

A Deep Dive into TeamTNT and Spinning YARN

Dec. 18, 2024, 12:09 p.m.

Tags
linux
obfuscation
xmrig
cloud security
docker
yarn
spinning yarn
confluence
2024-12-18
crypto mining
redis
platypus
External References
Description

TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persistence, and sets up a crypto miner. The impact extends beyond resource consumption, granting the attacker persistent access for potential further exploitation. TeamTNT, active since 2019, is known for attacks on cloud environments and cryptojacking. The campaign utilizes various tools and tactics, including malware droppers, XMRig miners, and reverse shells. Organizations should prioritize securing their infrastructure and stay informed about evolving threats to Linux and cloud environments.

Date

Published: Dec. 18, 2024, 6:34 a.m.

Created: Dec. 18, 2024, 6:34 a.m.

Modified: Dec. 18, 2024, 12:09 p.m.

Indicators

e137bf61096f68478a0daa63fca1b2cc45a99f2dfdcd08d7ff7c449f38cf5ce9

d27eeb48b1a74efd8710ef4ce62ee8469dd2352b0079c5b1c82e8da43fe932a2

d15af7984ed9b33093d7d5725c84ab24edf7c4ff02af3ac0a6c3aa9d5f7e12f4

bbcdffd6fa3b1370dfc091bfd3bfca38be013f72f94af7ef29466d911c9604d8

b2e26c7ce901296822085164ede73557a10badfdf99d1aa30f338446d0beb2d7

bb89a6bbddc5dda36542a5fef230b8fa9d98fbdb0ec4fa1794b8c28a0b5a3af4

9eafaf5e0fb9a91f2887f3e81fd7ad6d70973ff7cbb807dab4bf0f319a668b95

aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede

7e84f9aab329754fe4681d4d6e4c64098731fd55b5998d7cfacb08ba4dbdfd5c

651a3034429358a0ccb2d58ecbe2b7f3e4ee1bf4bee3e7a86f7ca873f6049ec2

5b9acfd34a30a3f26db492ed4404d518d583c0088a38a7622b683407c34b9108

18137be62c9267cf6b0b40432a91c5818c66bdaa42aad3728c598d3fc65fdcff

afddbaec28b040bcbaa13decdc03c1b994d57de244befbdf2de9fe975cae50c4

64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5

0c7579294124ddc32775d7cf6b28af21b908123e9ea6ec2d6af01a948caf8b87

d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e

62.113.111.152

154.38.165.7

212.233.121.136

47.93.56.107

https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence.

https://tip.neiki.dev/file/64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5/content.

https://m.9-9-8.com

https://b.9-9-8.com/brysj/w.sh

https://b.9-9-8.com/brysj/m/enbio.tar

https://b.9-9-8.com/brysj/m/enbash.tar

https://b.9-9-8.com/brysj/d/ar.sh

https://b.9-9-8.com/brysj/

https://9-9-8.com

http://b.9-9-8.com/brysj/ar.sh

http://b.9-9-8.com/brysj

http://b.9-9-8.com/brysj/w.sh

9-9-8.com

m.9-9-8.com

b.9-9-8.com

Download all indicators here!

Attack Patterns

Platypus

XMRig

TeamTNT

T1053.003

T1543.002

T1021.004

T1569.002

T1552.001

T1059.004

T1497

T1071.001

T1070.004

T1562.001

T1569.001

T1016

T1518

T1082

T1105

T1083

T1046

T1036

T1033

T1027

T1078

Additional Informations

Germany