TeamTNT Botnet Updated to Steal Docker and AWS Credentials

Analysts from security firm Trend Micro report that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials. Researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials. Experts noticed that the container image that holds all the malicious samples was created recently, the total number growing sees signs amiss study of downloads is 2,000. “There were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.” Analysts from security firm Trend Micro said in a report today that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials. This finding’s severity is low if a brute force attack is aimed at one of your EC2 instances.

The bot has itself been active since at least April and was deployed by a cybercrime group called “TeamTNT.” The attack only recently started targeting AWS logins, said the report. Chris is well known for building the popular threat intelligence portalThreatCrowd, which subsequently merged into theAlienVault Open Threat Exchange, later acquired by AT&T. Chris is an industry leading threat researcher and has published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government’scrypto-currency theft schemes, and China’s attacksagainst dissident websites, have been widely discussed in the media. – A post-exploitation tool meant to help network pivot from a compromised Unix box. This tool collects usernames, SSH keys, as well as known hosts from a Unix systemt and then tries to connect via SSH to all the combinations found. Now, the same researchers have said this botnet was upgraded to steal even the Docker credentials. But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy firewalls to limit who can access the port using allow-lists.” “Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.

This finding informs you the listed EC2 instance in your AWS environment might be compromised because it is trying to communicate with an IP address of a black hole . A black hole IP address specifies a host machine that is not running or an address to which no host has been assigned. Ports that can trigger this finding, such as port 8088 , could potentially be used for remote code execution. The Sysdig Threat Research Team has detected an attack that can be attributed to the TeamTNT.

Your EC2 instance may be trying to retrieve sensitive data stored on a phishing website, or it may be attempting to set up a phishing website. This finding informs you that the listed EC2 instance in your AWS environment is engaged in a possible port scan attack because it is trying to connect to multiple ports over a short period of time. The purpose of a port scan attack is to locate open ports to discover which services the machine is running and to identify its operating system.