# TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger **[trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html](https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html)** December 18, 2020 [Earlier this year, we saw how the cybercrime group TeamTNT attacked exposed Docker APIs using the XMRig cryptocurrency miner. Over](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports) time, we observed how TeamTNT expanded the functionality of its attacks, which has come to include the stealing of Amazon Web Services (AWS) secure shell (SSH) credentials and a self-replicating behavior for propagation. Here we discuss TeamTNT’s latest attack, which involves the use of the group’s own IRC (Internet Relay Chat) bot. The IRC bot is called TNTbotinger and is capable of distributed denial of service (DDoS). It’s important to note that the attackers must first be able to perform remote code execution (RCE) on the initial target machine in order to successfully wage this attack on a system. Malicious actors can perform RCE by exploiting misconfiguration issues, abusing unpatched [vulnerabilities, and taking advantage of security flaws such as weak or reused passwords and keys, or leaked credentials.](https://www.trendmicro.com/vinfo/tmr/?/us/security/definition/vulnerability) ## Technical analysis The initial spread starts with a malicious shell script that’s run on a victim machine. The shell script checks for the presence of the _/dev/shm/.alsp file, which can also be an indicator of compromise. If the file is not found, the script starts doing its job._ Figure 1. The malicious script checks for the presence of the /dev/shm/.alsp file in a system The script will then try to install curl, wget, bash, make, gcc, and pnscan packages. Figure 2. The malicious script attempts to install curl, wget, make, gcc, and pnscan packages Because of the package managers used in the malicious script, specifically apt-get and yum, we assume that the authors implemented support for both Debian and Red Hat-based distributions of Linux. The script will then attempt to download and execute multiple binaries, including pnscan, a tool used for port scanning. This tool is also downloaded manually in case it is not found in the expected directory. The following are the executed binaries in this attack: ----- /de /s /sb /usr/bin/tshd /usr/bin/kube /usr/bin/bioset Afterward, the script steals several pieces of confidential information from the infected system, such as: RSA (Rivest-Shamir-Adleman) keys used for SSH access (AWS path included) Bash history AWS and Docker configuration files /etc group, /etc/passwd, /etc/shadow, /etc/gshadow [The malicious actors will then upload this stolen information using a TGZ (tar.gz) file via an HTTP POST request to an attacker-provided URL.](https://www.winzip.com/win/en/tgz-file.html#:~:text=A%20TGZ%20file%20is%20a,for%20easier%20distribution%20or%20backup.&text=TGZ%20file.) We suspect that the collected information will serve as a knowledge base for the improvement of subsequent attacks. Figure 3. Stolen information from an infected machine is uploaded via a TGZ file to a malicious URL The script also tries to find accessible devices, based on the output of the ip route command, which would show routes to accessible networks. This information is then passed to the pnscan tool for a scan of the active SSH daemons on the network. The keys found on the system are used for authentication attempts on the newly discovered devices. If these attempts are successful, the same payload is deployed on the new devices and the attack propagates. Figure 4. The malicious script performs a scan of active SSH daemons on an infected network and attempts to use stolen keys to access network-connected devices ----- ## A closer look at relevant binaries The binary target platform is CPUs based on the x86-64 instruction set. The first layer of all these binaries is packed by the well-known UPX packer. **/dev/shm/sbin** The binary is compiled using the Go compiler and contains an ELF (Executable and Linkable Format) file that uses AES (Advanced Encryption Standard) encryption. We presume that the packer used is a Go version of LaufzeitCrypter. Figure 5. A Go-compiled binary that contains an AES-encrypted ELF file After decrypting the file, we found the binary’s final payload: an XMRig cryptocurrency miner. **/usr/bin/tshd** This bind shell listens on TCP (Transmission Control Protocol) port 51982. The communication is encrypted with a hard-coded key. Figure 6. The bind shell that listens on TCP port 51982 **/usr/bin/bioset** [This is a bind shell that listens on TCP port 1982. The communication is encrypted using the Blowfish encryption algorithm with a hard-coded](https://www.schneier.com/academic/blowfish/) key. After analysis, we discovered that this implementation does not work correctly on some platforms. The binary also renames its process name to systemd. ----- Figure 7. The bind shell that listens on TCP port 1982 **/usr/bin/kube** This binary is Go-compiled and contains an AES-encrypted ELF file. This is dynamically loaded during execution, and the same packer with the Go version of LaufzeitCrypter is used. The AES key and initialization vector (IV) are hard-coded in the binary. The final payload of this binary is an IRC bot, which the authors named TNTbotinger. This bot features the following DDoS commands: **DDoS command** **Function** PAN An advanced SYN flooder that kills most network drivers UDP A UDP (User Datagram Protocol) flooder UNKNOWN Nonspoof UDP flooder RANDOMFLOOD A SYN-ACK flooder NSACKFLOOD A new-generation ACK flooder NSSYNFLOOD A new-generation SYN flooder SYNFLOOD A classic SYN flooder ACKFLOOD A classic ACK flooder ----- GETSPOOFS A command that gets the current spoofing SPOOFS A command that changes spoofing to a subnet KILLALL A command that kills all current packeting TNTbotinger also has the following IRC bot commands: **IRC bot command** **Function** NICK Changes the nickname of the client SERVER Changes servers IRC Sends a command to the server DISABLE Disables all packeting from the client ENABLE Enables all packeting from the client KILL Kills the client VERSION Requests the version of the client HELP Displays the help file GET Downloads a file from the web and saves it to a disk UPDATE Updates the bot HACKPKG Installs a binary with no dependencies This bot also features the following Unix shell commands: **Unix shell command** **Function** SH Executes a command ISH Enables the facilities of an operating system to be made available to interactive users SHD Executes a daemonized command BASH Executes a command using Bash (if applicable) SYSINFO Collects information and reports about system configuration, setup, and usage RSHELL Opens remote shell ## Conclusion and security recommendations The Linux threat landscape is constantly evolving. This latest attack from TeamTNT is a good example of how the whole network segment, including the cloud, could be compromised by malicious actors. We are seeing just how serious they are in ensuring the increased success rates and stability of their attacks, as evidenced here by TeamTNT’s use of the wget/curl binaries for payload deployment and use of bind shell redundancy. ----- a success u bot ge attac, attac e s be ab e to t ate a ected syste O ce s de, t ey be ab e to see u e ab e instances on accessible network segments, and they can perform RCE on devices that are supposed to be shielded from the outside world. It’s important for enterprises to adopt stringent security practices such as the following to keep their systems secure: [Implement policies that prioritize continuous monitoring and auditing of devices, especially those used to access the office network.](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/virtualization-and-cloud/automating-security-continuous-monitoring-and-auditing-in-devops) [Adhere to the principle of least privilege when granting permissions.](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/virtualization-and-cloud/securing-the-4-cs-of-cloud-native-systems-cloud-cluster-container-and-code) [Regularly patch and update systems to reduce exposure to vulnerabilities and other critical threats.](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/vulnerabilities-and-exploits/virtual-patching-patch-those-vulnerabilities-before-they-can-be-exploited) Ensure that [passwords are strong.](https://blog.trendmicro.com/are-your-passwords-secure-enough/) [Change default passwords and adjust security settings based on the enterprise’s needs.](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/internet-of-things/the-first-steps-in-effective-iot-device-security) ## Trend Micro solutions The [Trend Micro Network Defense solution preserves the integrity of networks, prevents breaches and targeted attacks, and ensures that](https://www.trendmicro.com/en_us/business/products/network.html) critical data, communications, intellectual property, and other intangible assets are not exploited by malicious actors. It provides a nextgeneration intrusion prevention system (IPS), anomaly detection, custom sandbox analysis, and threat insight. [Cloud-specific security solutions such as Trend Micro Hybrid Cloud Security can help protect cloud-native systems and their various layers. It’s](https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html) [powered by the Trend Micro Cloud One™ security services platform for cloud builders, which provides automated protection for the continuous](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-migration-security.html) integration and continuous delivery (CI/CD) pipeline and applications. It also helps identify and resolve security issues sooner and improve delivery time for DevOps teams. The Trend Micro Cloud One platform includes: [Workload Security: runtime protection for workloads](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) [Container Security: automated container image and registry scanning](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-container-image-security.html) [File Storage Security: security for cloud file and object storage services](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-file-storage-security.html) [Network Security: cloud network layer IPS security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-network-security.html) [Application Security: security for serverless functions, APIs, and applications](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-application-security.html) [Conformity: real-time security for cloud infrastructure — secure, optimize, comply](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-conformity.html) ## Indicators of compromise **File** **name** **Functionality** **SHA-256** **Trend Micro detection** SSH Shell script dropper, uploader D9C46904D5BB808F2F0C28E819A31703F5155C4DF66C4C4669F5D9E81F25DC66 Trojan.SH.MALXMR.UWEKQ sbin XMRig E52646F7CB2886D8A5D4C1A2692A5AB80926E7CE48BDB2362F383C0C6C7223A2 Trojan.Linux.BTCWARE.A tshd Bind shell (TCP port 51982) 252BF8C685289759B90C1DE6F9DB345C2CFE62E6F8AAD9A7F44DFB3C8508487A Backdoor.Linux.REKOOBE.AA kube IRC bot B666CD08B065132235303727F2D77997A30355AE0E5B557CD08D41C9ADE7622D Trojan.Linux.MALXMR.UWEKY bioset Bind shell (TCP port 1982) Malware E15550481E89DBD154B875CE50CC5AF4B49F9FF7B837D9AC5B5594E5D63966A3 Trojan.Linux.MALXMR.UWEKW We discuss TeamTNT’s latest attack, which involves the use of the group’s own IRC (Internet Relay Chat) bot. The IRC bot is called TNTbotinger and is capable of distributed denial of service (DDoS). By: David Fiser December 18, 2020 Read time: ( words) Content added to Folio -----