TeamTNT threat group has modified versions of malicious shell scripts, that can run on-premise, in containers, or other Linux instances, to mine cryptocurrency in AWS.
TeamTNT’s shell scripts
Along with credential stealer scripts, various TeamTNT payloads are focused on crypto-mining, persistence, and lateral movement by discovering and deploying all Kubernetes pods in a local network.
- The names of some of these scripts are Kubernetes_root_PayLoad_2[.]sh, Kubernetes_root_PayLoad_1[.]sh, init[.]sh, init_main_root[.]sh, and Setup_Rainbow_miner[.]sh.
- One of the scripts comes with login credentials for the primary distribution server and another one with an API key that might facilitate remote access to a tmate shared terminal session.
Furthermore, some of the scripts have defence evasion functions aimed at disabling Alibaba cloud security tools, Tencent Cloud Monitor, and third-party BMC Helix Cloud Security agents.
Similar campaign
- Similarly, it avoids detection by targeting Alibaba Cloud's monitoring service and disabling it in a similar way as TeamTNT.
- It runs an anonymous mining operation using proxy pools for hiding wallet addresses.
Conclusion
Cybercriminals are now prominently targeting cloud environments and TeamTNT is already a prominent player known for targeting cloud infrastructure. Continue taking the right measures to protect your systems from such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_225275668.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9de1_shutterstock_1197236665.jpg)
