Written by Darin Smith
Summary TeamTNT modified their scripts after they were made public by security researchers TeamTNT scripts primarily target AWS, but can also run in on-premise, container, or other forms of Linux instances TeamTNT Payloads include credential stealers, cryptocurrency mining, persistence, & lateral movement TeamTNT scripts are also capable of disabling cloud security tools such as Alibaba’s aegis cloud security agent Cisco Talos has recently received modified versions of the TeamTNT cyber crime group’s malicious shell scripts, an earlier version of which was detailed by Trend Micro, from an intelligence partner. According to our intelligence partner, the malware author modified these tools after they became aware that security researchers published the previous version of their scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances.
Besides the primary credential stealer scripts, there are several TeamTNT payloads focused on cryptocurrency mining, persistence and lateral movement using techniques such as discovering and deploying onto all Kubernetes pods in a local network. There is also a script with login credentials for the primary distribution server, and another with an