According to a new Trend Micro report the cybercriminal group TeamTNT has extended its capabilities and started to harvest credentials from multiple cloud and non-cloud services.
TeamTNT designs its malware to harvest credentials from specific software or services. When targeting Linux machines, the attackers try to find security holes, such as exposed private keys, cloud misconfigurations, and recycled passwords, and once inside the system they look for cloud-related files.
Researchers note that the group still uses its tried and true methods like harvesting credentials for Secure Shell (SSH) and Server Message Block (SMB) to obtain access to other systems. TeamTNT spreads its respective payloads in a worm-like manner, and Trend Micro researchers say they found several scripts for this function, one previously documented.
The malware searches for app configurations and data on the connected systems, and sends them over to the attackers’ command-and-control (C&C) server.
“If at least one of the sought-after configuration files is present in the infected system, the extended credential harvester aggregates all the services’ configuration files into two arrays. Comparing this harvester with the group’s previous versions, we saw a significant increase in targets,” researchers explain.
As TeamTNT’s operations focus on Monero mining, the malware’s purpose is to find Monero configuration files and wallets in the infected system.
Researchers note that the malware tries to delete signs of its activities but it still leaves traces in the infected system.
“While “history -c” clears the Bash history, some commands continue with their activities and leave traces on other parts of the system.”
The threat actors try to get their hands on users’ credentials in internal networks so that they could use the cloud services for other malicious activities, researchers say. One of the victim’s services they try to compromise is Git which poses a significant security risk, including supply chain compromise, because a malicious user then might perform source code modifications that will go unnoticed.
To protect against TeamTNT attacks and other similar threats, cloud users are advised to use the secret vaults offered by their CSPs. In addition, it is recommended to:
- Enforce the principle of least privilege
- Use strong and secure passwords
- Avoid storing credentials in plain text
