TeamTNT, the cybercriminal group primarily known for its cryptomining operations, has upgraded its arsenal with new tools with sharpened capabilities. In a recent attack, the group has been observed actively using a new bot dubbed TNTbotinger.
The group has developed its own Internet Relay Chat (IRC) bot called TNTbotinger, which can be used to perform DDoS attacks.
- For a TNTbotinger attack, the attackers must perform remote code execution on their initial target machine via misconfiguration issues, reused or weak passwords, leaked credentials, and unpatched vulnerabilities.
- Once inside, it looks for vulnerable instances on the network and performs remote code execution.
How does it work?
- The attack starts with the use of a malicious shell script that executes on a victim machine. The shell script scans for the /dev/shm/[.]alsp file presence. If the file is not present, it starts doing its job.
- Subsequently, the script will attempt to install curl, bash, wget, gcc, make, and pnscan packages. These packages are implemented to provide support for both Debian and Linux.
- The script will then try downloading and executing multiple binaries, such as pnscan, a tool for port scanning. This tool could be downloaded manually if it is not present in the expected directory.
- Recently, the group updated its TeamTNT Trojan that targets cloud servers for mining cryptocurrency via third-party software.
- Earlier, the group was using a malware named Black-T to target AWS credential files for mining Monero cryptocurrency.
TeamTNT shows how vulnerable even the state-of-the-art cloud services are to malicious threat actors. To defend the networks from such threats, experts suggest proactively implementing policies for continuous monitoring and auditing of devices, following the principle of least privilege, regularly patching and updating systems, and using strong passwords.