# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: ta8220 # Reference: https://www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports # Reference: https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool kaiserfranz.cc irc.kaiserfranz.cc /ziggy_spread # Reference: https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/ # Reference: https://www.virustotal.com/gui/file/1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b/detection # Reference: https://otx.alienvault.com/pulse/5f3aa1e047a40112d69f524d 6z5yegpuwg2j4len.tor2web.su dockerupdate.anondns.net sayhi.bplace.net teamtnt.red teamtntisback.anondns.net # Reference: https://otx.alienvault.com/pulse/5f58ff8e319f59c6e46496b1 # Reference: https://www.virustotal.com/gui/file/0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d/detection 85.214.149.236:443 # Reference: https://techcommunity.microsoft.com/t5/azure-security-center/teamtnt-activity-targets-weave-scope-deployments/ba-p/1645968 # Reference: https://otx.alienvault.com/pulse/5f5925486084399c89bda0ba # Reference: https://www.virustotal.com/gui/domain/rhuancarlos.inforgeneses.inf.br/detection rhuancarlos.inforgeneses.inf.br # Reference: https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ # Reference: https://otx.alienvault.com/pulse/5f7b7cfff93fa60ed6fd4ff4 /BLACK-T/setup/ /BLACK-T/beta /BLACK-T/CleanUpThisBox /BLACK-T/SetUpTheBLACK-T /BLACK-T/SystemMod /SetUpTheBLACK-T /only_for_stats/dup.php # Reference: https://twitter.com/r3dbU7z/status/1351256623814205441 sampwn.anondns.net /SamPwn # Reference: https://twitter.com/r3dbU7z/status/1350479393135734787 # Reference: https://www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques # Reference: https://otx.alienvault.com/pulse/6007314fbb9b9daf8afc505c http://45.9.150.36 borg.wtf # Reference: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ # Reference: otx.alienvault.com/pulse/601ad65bb1f0c3f6116d20ab/ 123.245.9.147:6667 13.245.9.147:6667 164.68.106.96:6667 62.234.121.105:6667 # Reference: https://www.lacework.com/8220-gangs-recent-use-of-custom-miner-and-botnet/ # Reference: https://otx.alienvault.com/pulse/60a81875fa39fe6dbbe6f7d1 irc.do-dear.com # Reference: https://unit42.paloaltonetworks.com/docker-honeypot/ # Reference: https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/ # Reference: https://otx.alienvault.com/pulse/60b0cd1697da17aefe01db85 # Reference: https://otx.alienvault.com/pulse/60bdfb172c85862f931deced # Reference: https://www.virustotal.com/gui/ip-address/45.9.148.85/relations http://45.9.148.35 irc.borg.wtf irc.teamtnt.red irc03.teamtnt.red ircbd.anondns.net pacu.borg.wtf xmrigdashboard.anondns.net # Reference: https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/ # Reference: https://otx.alienvault.com/pulse/60bf9746b81c47f6658b7e1a projectbluebeam.anondns.net # Reference: https://twitter.com/SethKingHi/status/1412729582751420419 http://185.142.239.128 # Reference: https://blog.netlab.360.com/wei-xie-kuai-xun-teamtntxin-huo-dong-tong-guo-gan-ran-wang-ye-wen-jian-ti-gao-chuan-bo-neng-li/ # Reference: https://otx.alienvault.com/pulse/610ce11da606a4c5c78b28a3 # Reference: https://www.virustotal.com/gui/ip-address/194.147.114.20/relations htxreceive.top pubzone.htxreceive.top oracle.htxreceive.top /htx-i.$ /htx-i.arc /htx-i.arcle-hs38 /htx-i.arm /htx-i.arm4 /htx-i.arm4l /htx-i.arm4t /htx-i.arm4tl /htx-i.arm4tll /htx-i.arm5 /htx-i.arm5l /htx-i.arm5n /htx-i.arm6 /htx-i.arm64 /htx-i.arm6l /htx-i.arm7 /htx-i.arm7l /htx-i.arm8 /htx-i.armv4 /htx-i.armv4l /htx-i.armv5l /htx-i.armv6 /htx-i.armv61 /htx-i.armv6l /htx-i.armv7l /htx-i.dbg /htx-i.exploit /htx-i.i4 /htx-i.i486 /htx-i.i586 /htx-i.i6 /htx-i.i686 /htx-i.kill /htx-i.m68 /htx-i.m68k /htx-i.mips /htx-i.mips64 /htx-i.mipseb /htx-i.mipsel /htx-i.mpsl /htx-i.pcc /htx-i.powerpc /htx-i.powerpc-440fp /htx-i.powerppc /htx-i.ppc /htx-i.pp-c /htx-i.ppc2 /htx-i.ppc440 /htx-i.ppc440fp /htx-i.root /htx-i.root32 /htx-i.sh /htx-i.sh4 /htx-i.sparc /htx-i.spc /htx-i.ssh4 /htx-i.x32 /htx-i.x32_64 /htx-i.x64 /htx-i.x86 /htx-i.x86_32 /htx-i.x86_64 /s3f715/ # Reference: https://twitter.com/t0001100000/status/1446048755577458694 # Reference: https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server # Reference: https://www.virustotal.com/gui/file/fe3c5c4f94b90619f7385606dfb86b6211b030efe19b49c12ead507c8156507a/detection # Reference: https://www.virustotal.com/gui/file/0dab485f5eacbbaa62c2dd5385a67becf2c352f2ebedd2b5184ab4fba89d8f19/detection http://45.9.148.182 51.79.226.64:8080 85.214.149.236:443 chimaera.cc dl1.chimaera.cc irc.chimaera.cc /chimaera.cc /chimaera.cc_Version2.c /GRABBER_aws-cloud.sh /GRABBER_aws-cloud2.sh /GRABBER_google-cloud.sh /MOUNTSPLOIT_V2.sh.txt /TeamTNTbot.c /TeamTNT.sh /TNT_gpu.c # Reference: https://www.lacework.com/blog/teamtnt-continues-to-target-exposed-docker-api/ # Reference: https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html # Reference: https://otx.alienvault.com/pulse/6177d2c81029c2102d5fac47 crypto.htxreceive.top # Reference: https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/ # Reference: https://otx.alienvault.com/pulse/6213ad9cfa105eaa69e553d2 teamtnt.twilightparadox.com the.borg.wtf # Reference: https://twitter.com/suyog41/status/1637777342389972992 # Reference: https://www.virustotal.com/gui/file/8640fbb75e9e6ee8f51f5b95b8ee263b3cd8225b4e4351536cfb1adb5fb32c66/detection http://128.199.240.129 /php/rr/make-rr.sh # Reference: https://www.cadosecurity.com/previously-undiscovered-teamtnt-payload-recently-surfaced/ # Reference: https://otx.alienvault.com/pulse/6414b965997992991b82531e donaldtrump.cc # Reference: https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign # Reference: https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack # Reference: https://www.virustotal.com/gui/file/4a05f0ce8c120c4e62403558d45b3df8c6fd0c38c3e4848819cf343594518784/detection # Reference: https://www.virustotal.com/gui/file/d907d41fef298203b18b59a17fa9e027df5f15b5b71df94031efc5405249541e/detection # Reference: https://www.virustotal.com/gui/file/4a05f0ce8c120c4e62403558d45b3df8c6fd0c38c3e4848819cf343594518784/detection # Reference: https://www.virustotal.com/gui/file/2531b25cb663c445991b71e3f03ff3d759e55725022a209c8a0ca5255751c6e2/detection 207.154.218.221:8888 ap-northeast-1.compute.internal.anondns.net everfound.anondns.net everlost.anondns.net silentbob.anondns.net /bin/tmate/x86_64 # Reference: https://twitter.com/ShilpeshTrivedi/status/1708720269643440200 # Reference: https://twitter.com/malwrhunterteam/status/1748754174819344410 # Reference: https://www.virustotal.com/gui/file/a1dad8768ab2cb89d883979a99d23cbe586539b69530345f4069a399ff2eedf6/detection # Reference: https://www.virustotal.com/gui/file/36999b9b286ac24fb2874d3c523e591b4bf1d01ec76051e064d9e8c1ea18f431/detection # Reference: https://www.virustotal.com/gui/file/28dade8156a906e40b97d0ff7b65b9f4fd0c4f6572637786f259c0ab2f0bd035/detection http://5.42.67.2 http://5.42.67.29 http://5.42.67.3 http://87.121.221.176 89.185.85.102:8080 89.185.85.102:8444 89.185.85.102:9090 89.185.85.102:9091 89.185.85.102:9092 89.185.85.102:9191 c4kdeliver.top dw.c4kdeliver.top su95.c4kdeliver.top # Reference: https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt # Reference: https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html # Reference: https://otx.alienvault.com/pulse/64638bb666005b906bc81c2b # Reference: https://www.virustotal.com/gui/ip-address/185.17.0.19/relations # Reference: https://www.virustotal.com/gui/file/0258d2414ff41c7eabc12a9deb00109974c17f3e4e061e97dcd61f9c4f0dc8dd/detection http://179.43.155.202 http://185.17.0.19 http://209.141.38.219 http://45.142.122.11 http://79.137.203.156 letmaker.top jila.letmaker.top jira.letmaker.top pf.letmaker.top pwn.letmaker.top su-94.letmaker.top su-95.letmaker.top su95.letmaker.top work.letmaker.top # Reference: https://twitter.com/suyog41/status/1722121111037747498 # Reference: https://www.virustotal.com/gui/domain/clu-e.eu/relations # Reference: https://www.virustotal.com/gui/file/dfc874f4d230dd5ac2552f1cc9439ee1e21e1de8e3bcaa652d0a5fa70274c7d3/detection clu-e.eu b.clu-e.eu cc.clu-e.eu # Reference: https://twitter.com/suyog41/status/1727196303556485504 # Reference: https://www.virustotal.com/gui/file/6a2de1462b6877634782f710fb15e83c66b602b755e533dc2a87ea61061f53eb/detection # Reference: https://www.virustotal.com/gui/file/0c7579294124ddc32775d7cf6b28af21b908123e9ea6ec2d6af01a948caf8b87/detection 107.189.7.84:14447 9-9-8.com b.9-9-8.com m.9-9-8.com /brysj/m/enbash.tar /brysj/m/enbio.tar m.clu-e.eu