TeamTNT’s Credential Harvester Targets Cloud Services

TeamTNT’s Credential Harvester Targets Cloud Services

According to a new Trend Micro report the cybercriminal group TeamTNT has extended its capabilities and started to harvest credentials from multiple cloud and non-cloud services.

TeamTNT designs its malware to harvest credentials from specific software or services. When targeting Linux machines, the attackers try to find security holes, such as exposed private keys, cloud misconfigurations, and recycled passwords, and once inside the system they look for cloud-related files.

Researchers note that the group still uses its tried and true methods like harvesting credentials for Secure Shell (SSH) and Server Message Block (SMB) to obtain access to other systems. TeamTNT spreads its respective payloads in a worm-like manner, and Trend Micro researchers say they found several scripts for this function, one previously documented.

The malware searches for app configurations and data on the connected systems, and sends them over to the attackers’ command-and-control (C&C) server.

“If at least one of the sought-after configuration files is present in the infected system, the extended credential harvester aggregates all the services’ configuration files into two arrays. Comparing this harvester with the group’s previous versions, we saw a significant increase in targets,” researchers explain.

As TeamTNT’s operations focus on Monero mining, the malware’s purpose is to find Monero configuration files and wallets in the infected system. 

Researchers note that the malware tries to delete signs of its activities but it still leaves traces in the infected system. 

“While “history -c” clears the Bash history, some commands continue with their activities and leave traces on other parts of the system.”

The threat actors try to get their hands on users’ credentials in internal networks so that they could use the cloud services for other malicious activities, researchers say. One of the victim’s services they try to compromise is Git which poses a significant security risk, including supply chain compromise, because a malicious user then might perform source code modifications that will go unnoticed.

To protect against TeamTNT attacks and other similar threats, cloud users are advised to use the secret vaults offered by their CSPs. In addition, it is recommended to:


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.