TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint


A conceptual image representing threats in the cloud, such as TeamTNT, which is expanding its cryptojacking footprint with new TTPs.

Executive Summary

The copying and incorporation of cryptomining operational codebase or script functions have become a central behavioral indicator of cryptojacking groups and their operations. However, the use of command and control (C2) infrastructure, full tool sets and directory infrastructure patterns is a different matter. Unit 42 researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT cryptojacking group. The new scripts from TeamTNT are overtly copying infrastructure naming conventions and hijacking a known WatchDog C2 hosting system, 199.199.226[.]117.

Read more…