TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persistence, and sets up a crypto miner. The impact extends beyond resource consumption, granting the attacker persistent access for potential further exploitation. TeamTNT, active since 2019, is known for attacks on cloud environments and cryptojacking. The campaign utilizes various tools and tactics, including malware droppers, XMRig miners, and reverse shells. Organizations should prioritize securing their infrastructure and stay informed about evolving threats to Linux and cloud environments. Author: AlienVault
Related Tags:
T1569.001
crypto mining
spinning yarn
yarn
T1543.002
docker
cloud security
T1053.003
T1569.002
Associated Indicators:
BBCDFFD6FA3B1370DFC091BFD3BFCA38BE013F72F94AF7EF29466D911C9604D8
B2E26C7CE901296822085164EDE73557A10BADFDF99D1AA30F338446D0BEB2D7
9EAFAF5E0FB9A91F2887F3E81FD7AD6D70973FF7CBB807DAB4BF0F319A668B95
18137BE62C9267CF6B0B40432A91C5818C66BDAA42AAD3728C598D3FC65FDCFF
E137BF61096F68478A0DAA63FCA1B2CC45A99F2DFDCD08D7FF7C449F38CF5CE9
BB89A6BBDDC5DDA36542A5FEF230B8FA9D98FBDB0EC4FA1794B8C28A0B5A3AF4
0C7579294124DDC32775D7CF6B28AF21B908123E9EA6EC2D6AF01A948CAF8B87
AFDDBAEC28B040BCBAA13DECDC03C1B994D57DE244BEFBDF2DE9FE975CAE50C4
64D8F887E33781BB814EAEFA98DD64368DA9A8D38BD9DA4A76F04A23B6EB9DE5