From unit42.paloaltonetworks.com
Executive Summary
The copying and incorporation of cryptomining operational codebase or script functions have become a central behavioral indicator of cryptojacking groups and their operations. However, the use of command and control (C2) infrastructure, full tool sets and directory infrastructure patterns is a different matter. Unit 42 researchers have identified indicators traditionally pointing to theĀ WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by theĀ TeamTNT cryptojacking group. The new scripts from TeamTNT are overtly copying infrastructure naming conventions and hijacking a known WatchDog C2 hosting system, 199.199.226[.]117.