Newest TeamTNT IRC Bot Steals AWS and Docker Credentials
Once you have all of the prerequisites, there are a few different ways to install CCAT–from source code or using CCAT’s Docker image. Using obfuscation and encodings in bash scripts and while communicating through C2 servers. The group continued their attacks on Docker however they started using the Ubuntu images directly instead of Alpine.
QCon London brings together the world’s most innovative senior software engineers across multiple domains to share their real-world implementation of emerging trends and practices. GraphQL can be a great choice for client to server communication, but it requires investment to maximize its potential. Like any distributed system, this has some benefits, but also creates additional challenges. In this episode, Tejas Shikhare, explains the pros and cons of scaling GraphQL adoption.
They say that the development technique was much more refined for this script. Also, the samples were well-written and organized by function with descriptive names. Based on previous attacks, Trend Micro reckons that TeamTNT typically used these malicious scripts to deploy cryptocurrency miners. However, recent cases highlight how they now serve other purposes besides being downloaders for cryptominers. The TrendMicro team has also found corresponding code to the TNTbotinger and Borg attacks embedded in Docker Hub images, which they’ve linked to TeamTNT.
With a little bit of manipulation on the output format, we are able to also see the command line for each process! Below, we can see that the malware made a curl request to the adversary’s hosting site in order to download more malware. Sysdig threat researchers were able to run this specific image through our Docker image sandbox in order to perform dynamic analysis.
Watchdog.c – A type of monitoring tool used in Linux for monitoring the mining process. From the generated logs, we could infer that the Botinger is creating files under /dev/shm/ spawning new tshd and bioset processes and listening to TCP ports and 1982. The scenario’s purpose is to demonstrate how an attacker can install and run TNTBotinger in a Kubernetes environment.
In the Malware scan details section, the Trigger finding ID points to the original GuardDuty finding that triggered the malware scan. In my case, the original finding was that pokemon sword how to fish this EC2 instance was performing RDP brute force attacks against another EC2 instance. Trend Micro says Bash was used to develop the malicious shell script they are seeing.
With GuardDuty, you don’t need to deploy security software or agents to monitor for malware. You only pay for the amount of GB scanned in the file systems and for the EBS snapshots during the time they are kept in your account. All EBS snapshots created by GuardDuty are automatically deleted after they are scanned unless you enable snapshot retention when malware is found. To help you control costs and avoid repeating alarms, the same volume is not scanned more often than once every 24 hours.
The botnet script can now steal credentials from AWS IAM roles, from both files and the AWS metadata URL, which exposes privileged information. Analysts from security firm Trend Micro said in a report today that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials. In the event of an accidentally-exposed Docker API, one can guarantee that bad actors looking to take advantage will try to take advantage of provisioned resources in order to run their malware, most commonly a crypto-miner.
Now Trend Micro’s analysts say they’ve spotted new attacks that appear to be from TeamTNT. Here the threat actors used shell scripts to perform their malicious activities, according to Trend Micro. Chris is well known for building the popular threat intelligence portalThreatCrowd, which subsequently merged into theAlienVault Open Threat Exchange, later acquired by AT&T. Chris is an industry leading threat researcher and has published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government’scrypto-currency theft schemes, and China’s attacksagainst dissident websites, have been widely discussed in the media. He has also given interviews to print, radio and TV such asCNNand BBC News.