TeamTNT with new campaign aka “Chimaera”

September 8, 2021 | Ofer Caspi

Executive summary

AT&T Alien Labs™ has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more.

Alien Labs research indicates the command and control (C&C) server used in this newly discovered campaign contains infection statistics that suggest TeamTNT has been running this campaign since July 25, 2021, and that it is responsible for thousands of infections globally.

Key takeaways:

  • TeamTNT is using new, open source tools to steal usernames and passwords from infected machines.
  • The group is targeting various operating systems including: Windows, different Linux distributions including Alpine (used for containers), AWS, Docker, and Kubernetes.
  • The campaign has been active for approximately one month and is responsible for  thousands of infections globally.
  • As of August 30, 2021, many malware samples still have zero antivirus (AV) detections and others have low detection rates.


TeamTNT has been one of the most active threat groups since mid 2020. Their activity typically uses open source tools for malicious activity. A partial list of imported tools contains:

  • Masscan and port scanner to search for new infection candidates
  • libprocesshider for executing their bot directly from memory
  • 7z to decompress downloaded files
  • b374k shell which is a php web administrator that can be used to control infected systems
  • Lazagne, an open-source tool for multiple web operating systems, which is used to collect stored credentials from numerous applications

Several recent publications, such the one by TrendMicro, have described in detail TeamTNT campaigns, including the tools and techniques they use. One of the most recent findings (June 4, 2021) came from Palo Alto researchers who discovered the TeamTNT Chimaera repository. In July 2021, TeamTNT began running the Chimaera campaign using new tools, and they began publishing infection statistics publicly on their website for the first time (Figures 1, 2).

As of the publishing of this report, many of the samples analyzed by Alien Labs have zero or low detection on VirusTotal. However, defenders can be proactive in hardening their systems. For example, due to the recent, high profile attacks on Kubernetes — including those executed by TeamTNT —  the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published “Kubernetes Hardening Guidance” in August of this year. Defenders should reference this guide to understand how to better defend against attacks like those used by TeamTNT.

Chimaera stats on main screen

Figure 1. TeamTNT C&C website showing infection statistics

Chimaera C&C

Figure 2. TeamTNT C&C website showing Chimaera campaign statistics

Analysis of components used in the “Chimaera” campaign

New credentials stealer (“Lazagne” component)

The malicious script starts its activity by modifying the bash history file. This hides any future commands executed from users using the “history” command on Linux.

The script then installs its dependencies (‘curl’, ‘bash’, ‘wget’, ‘pip’, ‘py3-pip’, ‘python3-pip’). As seen in figure 3, supported operating systems include different Linux distributions, such as Alpine Linux which is typically used in containers.

Lazagne stage 1

Figure 3. The first stage of the Lazagne component.

Once the malware is finished with its “pre-setup,” it downloads the second phase of the attack from its C&C, which includes another bash script (‘’) along with the Lazagne project, as seen in figure 4.

Lazagne stage 2

Figure 4. Second stage of the Lazagne component (‘’).

Lazagne is an open-source project available for different operating systems (Windows, Linux, and MacOS). Its developer describes the Lazagne tool as an application that can be used to retrieve multiple passwords stored on a local machine. Due to its capabilities, the tool has been added as a post exploitation module to the pupy project.

It supports a wide range of programs, such as browsers (Chrome, Firefox, Opera, etc.), Sysadmin programs (such as CoreFTP, Putty, OpenSSH, etc. ), Wifi password, mail programs, databases, etc. The full list of supported programs can be found on the Lazagne page on Github.

In this phase two of the attack, the second malicious script executes the Lazagne tool, saves its output into “laZagne.out.txt,” and uploads it to the C&C using the curl command. At the end of the execution, the malware deletes any file that has been downloaded.

Windows component – Set up a cryptocurrency miner

For Windows operating systems, the attackers use a malicious script that downloads all the tools required for unpacking and executing the Xmrig miner. This includes the 7z tool for decompressing downloaded files and Nssm to add the miner as a service. (See figure 5.)

Chimaera windows module

Figure 5. Windows module

The malware will setup the miner and then the miner will persist it in the system in two ways: 1) by adding itself as a service if the malware gains admin privileges or 2) by adding the batch file to the startup folder. (See figure 6.)

Chimaera windows persistence

Figure 6. Windows module - persistence

Kubernetes root payload component

This component is mainly responsible for installing a cryptocurrency miner on infected devices, allowing the attacker to connect remotely to the system using SSH. (See figure 7)

Kubernetes root payload

Figure 7. Kubernetes root payload

The malicious script uses the following steps to achieve its goal:

  • Disabling or uninstalling security products on infected machines, such as Aegis Authenticator, quartz, and Alibaba services (AliSecGuard, AliYunDun, AliNet etc.). (Figures 8, 9)
  • Adding the attacker’s RSA-key to the list of known SSH host (allowing the attacker to connect the machine through SSH without the need of user/password in the system).
  • Installing missing required tools for crypto mining.
  • Modifying the host file.
  • Setting up the XMRig crypto miner.
  • Adding persistence for the XMR miner.
  • Removing itself.

Chimaera stopping security services

Figure 8. Stopping security services

Chimaera shell script

Figure 9. Decoded shell script

TeamTNT IRC bot

As described previously this year by Lacework, TeamTNT includes ZiggyStartux in their IRC bot. Now, the bot has extended its availability to “Unix Shell & Command Function” (See figure 10).

TeamTNT IRC bot

Figure 10. IRC Bot available commands

TeamTNT AWS stealer

Similar to the other TeamTNT components, the AWS stealer (see figure 11) first installs missing dependencies. It then collects information from infected devices and stores the informaiton in a temporary file “/var/tmp/TeamTNT_AWS_STEALER.txt”.

TeamTNT AWS stealer

Figure 11. AWS stealer

This information includes:

  • AWS default region
  • AWS access key Id
  • AWS secret access key
  • AWS session token
  • AWS user credentials
  • AWS root credentials
  • Shared credentials file
  • Container credential relative URI

When finished, the malware uploads all of the stored information to its C&C using curl command, and then it cleans up its traces.


AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT. As researches have observed of TeamTNT in older campaigns, they are focusing on stealing cloud systems credentials, using infected systems for cryptocurrency mining, and abusing victim’s machines to search and spread to other vulnerable systems. The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for anti-virus companies to detect.

Recommended actions

  1. Keep your software with the latest security updates.
  2. Keep minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
  3. Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.


AV TROJAN TeamTNT AWS Credential Exfiltration


AV TROJAN TeamTNT CoinMiner Payload Download to clean up other Coinminers

AV TROJAN TeamTNT Mining Worm Credential Exfiltration

AV TROJAN TeamTNT CoinMiner Downloader

AV TROJAN TeamTNT IRC Bot Joining Channel

ET TROJAN Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in DNS Query



Crypto mining Docker container

Appendix B. Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.







IP Address






Credentials stealer, Lazagne component



Malware hash



TeamTNT IRC bot



SSH lan spread



Malware hash



TeamTNT IRC bot



​​Kubernetes root PayLoad



​​Kubernetes root PayLoad



Kubernetes setup script



Malware hash



AWS stealer



Malware hash



SSH lan spread



TeamTNT IRC bot




Windows component (Cryptocurrency miner setup)


Appendix C. Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

  • TA0001: Initial Access
    • T1078: Valid accounts
  • TA0002: Execution
    • T1569: System Services
    • T1059: Command and Scripting Interpreter
      • T1059.004: Unix Shell
      • T1059.003: Windows Command Shell
  • TA0003: Persistence
    • T1547: Boot or Logon Autostart Execution
    • T1053: Scheduled Task/Job
  • TA0005: Defense Evasion
    • T1564: Hide Artifacts
  • TA0006: Credential Access
    • T1212: Exploitation for Credential Access
    • T1528: Steal Application Access Token
    • T1555: Credentials from Password Stores
  • TA0008: Lateral Movement
    • T1210: Exploitation of Remote Services
  • TA0010: Exfiltration
    • T1041: Exfiltration Over C2 Channel
    • T1020: Automated Exfiltration
  • TA0011: Command and Control
    • T1219: Remote Access Software
  • TA0040: Impact
    • T1496: Resource Hijacking

Appendix D. Reporting context

Alien Labs rates sources based on the Intelligence source and information reliability rating system to assess the reliability of the source and the assessed level of confidence we place on the information distributed. The following chart contains the range of possibilities, and the selection applied to this report can be found on Page 1.

Source Reliability



A - Reliable

No doubt about the source's authenticity, trustworthiness, or competency. History of complete reliability.

B - Usually Reliable

Minor doubts. History of mostly valid information.

C - Fairly Reliable

Doubts. Provided valid information in the past.

D - Not Usually Reliable

Significant doubts. Provided valid information in the past.

E - Unreliable

Lacks authenticity, trustworthiness, and competency. History of invalid information.

F - Reliability Unknown

Insufficient information to evaluate reliability. May or may not be reliable.

Information Reliability



1 - Confirmed

Logical, consistent with other relevant information, confirmed by independent sources.

2 - Probably True

Logical, consistent with other relevant information, not confirmed.

3 - Possibly True

Reasonably logical, agrees with some relevant information, not confirmed.

4 - Doubtfully True

Not logical but possible, no other information on the subject, not confirmed.

5 - Improbable

Not logical, contradicted by other relevant information.

6 - Cannot be judged

The validity of the information can not be determined.

Ofer Caspi

About the Author: Ofer Caspi

Ofer is a Security Researcher at Alien Labs, part of the AT&T Cybersecurity. He can be found on LinkedIn and Twitter (@ShablolForce)

Read more posts from Ofer Caspi ›


Get price Free trial