A few days ago, the SCARLETEEL advanced hacking operation was reported in which the adversary targets Kubernetes hosted on AWS to steal sensitive proprietary data via a complex exploitation chain. New research has revealed that the cryptojacking group TeamTNT may be behind that attack.
What has been discovered?
Analysis by Cado Security has revealed that the initial phase of the attack leveraged a cryptocurrency miner, whose TTPs are consistent with the typical attack tactics used by TeamTNT.
- Researchers found an XMR configuration file (config_background.json) on VirusTotal, with the same IOCs as the miner sample involved in the SCARLETEEL campaign.
- The script uses the string hilde in the author name field, which is associated with TeamTNT. It further uses the same wallet ID as used by TeamTNT in past attacks.
- It has further overlaps such as preparatory configuration steps for putting hard limits on resource usage, dynamic linker hijacking, enumeration of hardware resources, steps to prevent logging history, and clean-up using the function CLEANUP_BY_TRUMP().
Other connecting factors
- The domain name used as the C2 (DonaldTrump[.]cc) was never used in any malicious campaign, indicating it to be a fresh infrastructure created for a new campaign.
- However, Passive DNS analysis (historical record of DNS communications) of the above domain suggests that it was last updated in May 2021.
- Hence, it is likely that this is an old sample used by TeamTNT but never identified and analyzed by any security personnel earlier.
Despite all the similarities, researchers could not connect the two malware with full confidence. According to them, it is possible that another group is simply copying the tactics. Moreover, there are several IOCs that do not match TeamTNT’s trademark signatures, thus leaving a margin for doubt.
Concluding notes
TeamTNT is a significant threat when it comes to targeting cloud environments. Its involvement in the SCARLETEEL further complicates the attack, indicating that this group may be attempting new tricks besides cryptojacking. It is possible that due to the collapsing prices of crypto, the group is experimenting with new types of attacks to make profits.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_349177088.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/a033_shutterstock_1670527117.jpg)
