A novel file uploaded to VirusTotal on Feb. 25 is linked to the defunct and notorious threat actor TeamTNT. The discovery has researchers questioning if threat actors behind TeamTNT are regrouping or if the sample is simply an artifact of the adversary.
TeamTNT, best known for its attacks on Amazon Web Services (AWS) cloud environments, claimed to have “Quit the Szene” in a tweet on Nov. 17, 2021.
According to researchers at Cado Security, the file uploaded to VirusTotal in February has similar tactics, techniques and procedures (TTPs) to those exhibited by TeamTNT.
In a Thursday blog post, Cado reported the file it found in VirusTotal had a cryptocurrency wallet ID that’s been previously attributed to TeamTNT, a group it have been tracking since 2020. At the time, TeamTNT made a name for itself as the first crypto-mining worm to steal AWS credentials.
Matt Muir, a threat intelligence researcher at Cado Security, explained to SC Media that the recent malware sample uploaded to VirusTotal had certain behaviors that were similar to the malware distributed by TeamTNT. For starters, Muir said it had a custom process hider, meaning that it could obfuscate an application’s process so an administrator could not discover the malware. “They also used fake user names that TeamTNT is known to use, such as Hildegard@TNT,” said Muir.
Muir explained that Cado’s research team discovered this malware after reading a Sysdig blog that described the SCARLETEEL campaign, a sophisticated cloud campaign that resulted in stolen proprietary data. According to the Sysdig blog, the attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account to steal proprietary software and credentials. This attack started from a compromised Kubernetes container and spread to the victim’s AWS account.
Muir said after understanding the details of the AWS attack described by Sysdig, Cado’s threat researchers ran a VirusTotal triage of files uploaded around the time of the report. That’s when they found the files with the TTPs security researchers have previously tied to TeamTNT.
“We read about the attack and learned how it worked,” said Muir. “We then used the information Sysdig published to find files that matched the characteristics they reported on.”
According to Cado’s blog, new infrastructure, in the form of a previously unattributed C2 domain, suggests that the sample Muir and his team found is part of new campaign. However, passive DNS results show that the domain was last updated on May 2, 2021. Cado believes it’s “more likely” that this is an old sample that’s never been reported on.
“Either way, it’s interesting to unearth a previously-undiscovered payload from a threat actor well-known to Cado researchers,” said the Cado blog. “Without more information, it’s impossible to conclusively link the sample analyzed in this blog to the attack that Sysdig reported, but it’s interesting that these files surfaced around the same time.”