TeamTNT Botnet aims to steal AWS and Docker Credentials

Get a free Techzine subscription!

A crypto-mining botnet is using a malicious shell script to steal credentials not just for AWS but also Docker.

Analysts from security firm Trend Micro report that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials. The discovery appeared in a report issued by Trend Micro this week.

The researchers have linked the botnet to a cybercrime operation known as TeamTNT. This is a group of malefactors that UK-based Cado Security identified back in August 2020. At the time, the group was busy installing cryptocurrency-mining malware on misconfigured container platforms. and stealing AWS credentials.

Now Trend Micro’s analysts say they’ve spotted new attacks that appear to be from TeamTNT. Here the threat actors used shell scripts to perform their malicious activities, according to Trend Micro.

Based on previous attacks, Trend Micro reckons that TeamTNT typically used these malicious scripts to deploy cryptocurrency miners. However, recent cases highlight how they now serve other purposes besides being downloaders for cryptominers.

“Based on its Command and Control URLs, some strings, crypto keys, and the language used on the samples, we deduced that this latest attack came from the TeamTNT arsenal.”

Related: Trend Micro strongly focuses on the multicloud

Attackers get more refined

Trend Micro says Bash was used to develop the malicious shell script they are seeing. They say that the development technique was much more refined for this script. Specifically, there were no more endless lines of code. Also, the samples were well-written and organized by function with descriptive names.

Alfredo Oliveira, a senior security researcher at Trend Micro, says that TeamTNT has now also added a feature. This feature is used to collect Docker API credentials on top of the AWS creds-stealing code.

Oliveira warns that thanks to this new feature, “implementing [Docker] API authentication is not enough.” He suggests that companies should make sure Docker management APIs aren’t exposed online in the first place.

In cases where organisations must enable the API ports, Trend Micro recommends that companies deploy firewalls. They should then use allow-lists to limit who can access the port.