In recent months, the functionality of the Internet Relay Chat Bot (IRC) of the cybercrime group TeamTNT has been expanded from resource theft for crypto mining to the theft of Docker API, Amazon Web Service and SSH credentials (Secure Shell).

Cado Security researchers have described several recent changes in behavior after the invasion. The botnet script can now steal credentials from AWS IAM roles, both from files and from the AWS metadata URL that exposes privileged information.

In December, the TrendMicro team analyzed the payload of an ongoing TeamTNT attack and announced that the updated code contained an IRC bot, which the authors called “TNTbotinger”. Further analysis by the Lacework team revealed that TNTbotinger malware known as “Ziggy StarTux” was a variant of Kaiten. The script was first reported by in August Malware hunter team (Original tweets since deleted) and appears to have been active since April 2020 and a number of …


Source link

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.