This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-02T18:32:58+00:00 www.secnews.physaphae.fr Anomali - Firm Blog Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A. ]]> 2021-10-06T19:06:00+00:00 https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server www.secnews.physaphae.fr/article.php?IdArticle=3479896 False Malware,Tool,Threat APT 32,Uber None InformationSecurityBuzzNews - Site de News Securite Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew]]> 2018-10-19T15:30:05+00:00 https://www.informationsecuritybuzz.com/expert-comments/oceansalt-cyberattack-wave/ www.secnews.physaphae.fr/article.php?IdArticle=855291 True Tool,Threat APT 32,APT 1 None Wired Threat Level - Security News 2018-09-13T11:00:00+00:00 https://www.wired.com/story/hurricane-florence-underwater-drone-slocum-glider www.secnews.physaphae.fr/article.php?IdArticle=805942 False Tool APT 32 4.0000000000000000