What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
Anomali.webp 2021-10-06 19:06:00 Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server (lien direct) Authored By: Tara Gould Key Findings Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT. The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments. Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server. This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools. Overview Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials. TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2] Technical Analysis Scripts (/cmd/) Overview of /cmd/ Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Snippet of AWS Credential Stealer Script Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Chimaera_Kubernetes_root_PayLoad_2.sh Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Overview of /bin Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A. Malware Tool Threat Uber APT 32
Last update at: 2024-07-03 05:07:27
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter