TeamTNT Group Now has its Own IRC Bot

What happened?

• For a TNTbotinger attack, the attackers must perform remote code execution on their initial target machine via misconfiguration issues, reused or weak passwords, leaked credentials, and unpatched vulnerabilities.
• Once inside, it looks for vulnerable instances on the network and performs remote code execution.

How does it work?

• The attack starts with the use of a malicious shell script that executes on a victim machine. The shell script scans for the /dev/shm/[.]alsp file presence. If the file is not present, it starts doing its job.
• Subsequently, the script will attempt to install curl, bash, wget, gcc, make, and pnscan packages. These packages are implemented to provide support for both Debian and Linux.
• The script will then try downloading and executing multiple binaries, such as pnscan, a tool for port scanning. This tool could be downloaded manually if it is not present in the expected directory.

Recent attacks

• Recently, the group updated its TeamTNT Trojan that targets cloud servers for mining cryptocurrency via third-party software.
• Earlier, the group was using a malware named Black-T to target AWS credential files for mining Monero cryptocurrency.

Conclusion