In the ever-evolving landscape of cybersecurity, threat actors continue to innovate and adapt their methods to exploit new technologies and platforms. One such group, known as TeamTNT, has been actively targeting cloud platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). This report provides a comprehensive analysis of TeamTNT’s cloud credential stealing campaign, drawing on information from multiple sources, including Dark Reading, Trend Micro, and Cado Security.
The TeamTNT campaign targeting Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) for cloud-credential stealing and cryptomining has been active for several months. The campaign has expanded its capabilities to target exposed Docker services, and it is associated with the threat actor group TeamTNT, known for exploiting cloud misconfigurations and vulnerabilities.
The campaign uses a variety of techniques to steal cloud credentials and propagate the attack. These techniques include profiling systems, searching for credential files, and exfiltrating them. The scripts also collect environment variable details, likely to identify other valuable services on the system to target later.
The threat actor is now delivering a UPX-packed, Golang-based ELF binary that drops and executes another shell script for scanning a specified range and propagating to other vulnerable targets.
The following Indicators of Compromise (IOCs) have been identified:
- SHA-256 hashes:
- 9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae (IRC bot)
- 3139a85a18e42bf60ba65deb3d691b5c088a0fac2b80a4d05f17a68eac3d4882 (Script)
- 595497c407795e0dbb562a4616fd877ce1eb2e86424672bac8003662e1fa07eb (config_background.json)
- 61fdad6d9b149e8d4fc54a848a25219eb9f1364a58073c27eadde8f8298a9573 (main shell script)
- Monero Wallet ID: 89sp1qMoognSAbJTprreTXXUv9RG1AJBRjZ3CFg4rn6afQ5hRuqxiWRivYNqZbnYKKdsH5pCiTffrZToSyzXRfMvSHx5Guq
- Domains: hxxp://DonaldTrump[.]cc
- Mining Pool: mine[.]c3pool[.]com:17777
The MITRE ATT&CK tactics associated with this campaign include:
- T1574.006: Hijack Execution Flow: Dynamic Linker Hijacking
- T1078: Valid Accounts
- T1082: System Information Discovery
- T1027: Obfuscated Files or Information
- T1055: Process Injection
- T1059: Command and Scripting Interpreter
- T1496: Resource Hijacking
- T1105: Ingress Tool Transfer
- T1041: Exfiltration Over Command and Control Channel
- T1060: Registry Run Keys / Startup Folder
- T1053: Scheduled Task/Job
- T1070: Indicator Removal on Host
- T1036: Masquerading
- T1027: Obfuscated Files or Information
- T1083: File and Directory Discovery
- T1012: Query Registry
- T1057: Process Discovery
- T1049: System Network Connections Discovery
- T1007: System Service Discovery
- T1082: System Information Discovery
- T1016: System Network Configuration Discovery
- T1046: Network Service Scanning
- T1065: Uncommonly Used Port
- T1048: Exfiltration Over Alternative Protocol
- T1496: Resource Hijacking
- T1562: Impair Defenses
- T1491: Defacement
- T1485: Data Destruction
- T1486: Data Encrypted for Impact
- T1490: Inhibit System Recovery
- T1491: Defacement
- T1489: Service Stop
- T1495: Firmware Corruption
- T1496: Resource Hijacking
- T1497: Virtualization/Sandbox Evasion
- T1498: Network Denial of Service
- T1499: Endpoint Denial of Service
- T1500: Compile After Delivery
- T1501: Web Service
- T1502: Indirect Command Execution
- T1503: Credentials from Password Stores
- T1504: PowerShell
- T1505: Server Software Component
- T1506: Web Shell
- T1507: Network Service Scanning
- T1508: Small Footprint or Steganography
- T1509: Mobile
- T1510: Input Capture
- T1511: Security Software Discovery
- T1512: Software Discovery
- T1513: Screen Capture
The TeamTNT campaign represents a significant threat to cloud platforms, demonstrating the group’s ability to exploit vulnerabilities and misconfigurations in these environments. The campaign’s sophisticated techniques, including system profiling, credential file searching, and exfiltration, highlight the need for robust security measures and continuous monitoring of cloud environments.
The identified Indicators of Compromise (IOCs) and associated MITRE ATT&CK tactics provide valuable insights for threat detection and mitigation. It’s crucial for organizations to stay vigilant, regularly update their systems, and apply the principle of least privilege to minimize the potential damage of such attacks.
As threat actors continue to evolve their strategies, understanding and learning from campaigns like TeamTNT’s is essential for enhancing cybersecurity defenses and ensuring the safety of cloud environments.