A Deep Dive into TeamTNT and Spinning YARN

Dec. 18, 2024, 12:09 p.m.

Description

TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persistence, and sets up a crypto miner. The impact extends beyond resource consumption, granting the attacker persistent access for potential further exploitation. TeamTNT, active since 2019, is known for attacks on cloud environments and cryptojacking. The campaign utilizes various tools and tactics, including malware droppers, XMRig miners, and reverse shells. Organizations should prioritize securing their infrastructure and stay informed about evolving threats to Linux and cloud environments.

External References

https://isc.sans.edu/diary/rss/31530
https://otx.alienvault.com/pulse/67626d10c54a2c9e6d59630e
Tags
linux
obfuscation
xmrig
cloud security
docker
yarn
spinning yarn
confluence
2024-12-18
crypto mining
redis
platypus

Date

  • Created: Dec. 18, 2024, 6:34 a.m.
  • Published: Dec. 18, 2024, 6:34 a.m.
  • Modified: Dec. 18, 2024, 12:09 p.m.

Indicators

  • e137bf61096f68478a0daa63fca1b2cc45a99f2dfdcd08d7ff7c449f38cf5ce9
  • d27eeb48b1a74efd8710ef4ce62ee8469dd2352b0079c5b1c82e8da43fe932a2
  • d15af7984ed9b33093d7d5725c84ab24edf7c4ff02af3ac0a6c3aa9d5f7e12f4
  • bbcdffd6fa3b1370dfc091bfd3bfca38be013f72f94af7ef29466d911c9604d8
  • b2e26c7ce901296822085164ede73557a10badfdf99d1aa30f338446d0beb2d7
  • bb89a6bbddc5dda36542a5fef230b8fa9d98fbdb0ec4fa1794b8c28a0b5a3af4
  • 9eafaf5e0fb9a91f2887f3e81fd7ad6d70973ff7cbb807dab4bf0f319a668b95
  • aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede
  • 7e84f9aab329754fe4681d4d6e4c64098731fd55b5998d7cfacb08ba4dbdfd5c
  • 651a3034429358a0ccb2d58ecbe2b7f3e4ee1bf4bee3e7a86f7ca873f6049ec2
  • 5b9acfd34a30a3f26db492ed4404d518d583c0088a38a7622b683407c34b9108
  • 18137be62c9267cf6b0b40432a91c5818c66bdaa42aad3728c598d3fc65fdcff
  • afddbaec28b040bcbaa13decdc03c1b994d57de244befbdf2de9fe975cae50c4
  • 64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5
  • 0c7579294124ddc32775d7cf6b28af21b908123e9ea6ec2d6af01a948caf8b87
  • d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e
  • 62.113.111.152
  • 154.38.165.7
  • 212.233.121.136
  • 47.93.56.107
  • https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence.
  • https://tip.neiki.dev/file/64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5/content.
  • https://m.9-9-8.com
  • https://b.9-9-8.com/brysj/w.sh
  • https://b.9-9-8.com/brysj/m/enbio.tar
  • https://b.9-9-8.com/brysj/m/enbash.tar
  • https://b.9-9-8.com/brysj/d/ar.sh
  • https://b.9-9-8.com/brysj/
  • https://9-9-8.com
  • http://b.9-9-8.com/brysj/ar.sh
  • http://b.9-9-8.com/brysj
  • http://b.9-9-8.com/brysj/w.sh
  • 9-9-8.com
  • m.9-9-8.com
  • b.9-9-8.com
Download all indicators here!

Attack Patterns

  • Platypus
  • XMRig
  • TeamTNT
  • T1053.003
  • T1543.002
  • T1021.004
  • T1569.002
  • T1552.001
  • T1059.004
  • T1497
  • T1071.001
  • T1070.004
  • T1562.001
  • T1569.001
  • T1016
  • T1518
  • T1082
  • T1105
  • T1083
  • T1046
  • T1036
  • T1033
  • T1027
  • T1078

Additional Informations

  • Germany