TeamTNT threat group has modified versions of malicious shell scripts, that can run on-premise, in containers, or other Linux instances, to mine cryptocurrency in AWS.
TeamTNT’s shell scripts
Along with credential stealer scripts, various TeamTNT payloads are focused on crypto-mining, persistence, and lateral movement by discovering and deploying all Kubernetes pods in a local network.
The names of some of these scripts are Kubernetes_root_PayLoad_2[.]sh, Kubernetes_root_PayLoad_1[.]sh, init[.]sh, init_main_root[.]sh, and Setup_Rainbow_miner[.]sh.
One of the scripts comes with login credentials for the primary distribution server and another one with an API key that might facilitate remote access to a tmate shared terminal session.
Furthermore, some of the scripts have defence evasion functions aimed at disabling Alibaba cloud security tools, Tencent Cloud Monitor, and third-party BMC Helix Cloud Security agents.
Similar campaign
Recently, LemonDuck botnet was found targeting Docker to mine cryptocurrency on Linux systems.
Similarly, it avoids detection by targeting Alibaba Cloud's monitoring service and disabling it in a similar way as TeamTNT.
It runs an anonymous mining operation using proxy pools for hiding wallet addresses.
Conclusion
Cybercriminals are now prominently targeting cloud environments and TeamTNT is already a prominent player known for targeting cloud infrastructure. Continue taking the right measures to protect your systems from such threats.