# TeamTNT’s Extended Credential Harvester Targets Cloud Services, Other Software **[trendmicro.com/en_us/research/21/e/teamtnt-extended-credential-harvester-targets-cloud-services-other-software.html](https://www.trendmicro.com/en_us/research/21/e/teamtnt-extended-credential-harvester-targets-cloud-services-other-software.html)** May 18, 2021 We found new evidence that the cybercriminal group TeamTNT has extended its credential harvesting capabilities to include multiple cloud and non-cloud services. By: David Fiser, Alfredo Oliveira May 18, 2021 Read time: ( words) [Keeping secrets safe is key to keeping systems secure and preventing supply-chain attacks. Malicious](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/virtualization-and-cloud/identifying-weak-parts-of-a-supply-chain) actors often go after secrets in storage mechanisms and harvest credentials found in compromised systems. And [credentials stored in plain text that are accessible even without user interaction are not](https://www.trendmicro.com/en_us/research/19/h/hiding-in-plain-text-jenkins-plugin-vulnerabilities.html) uncommon for DevOps software and are therefore a big security risk. Malicious actors have been known to harvest cloud service provider (CSP) credentials once they get into their [victims’](https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html) [systems. The cybercriminal group TeamTNT, for example, is no stranger to targeting cloud](https://www.trendmicro.com/en_us/research/21/a/malicious-shell-script-steals-cloud-credentials.html) [containers, expanding their arsenal to steal cloud credentials, and exploring other environments and](https://www.trendmicro.com/en_us/research/21/a/malicious-shell-script-steals-cloud-credentials.html) [intrusive activities. In the group’s latest attack routine, we found new evidence that TeamTNT has further](https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html) extended its credential harvesting capabilities to target multiple cloud and non-cloud services in victims’ internal networks and systems post-compromise. Technical analysis ----- Figure 1. TeamTNT’s infection chain for harvesting credentials TeamTNT’s malware is designed to harvest credentials from specific software and services. It infects Linux machines with openings such as exposed private keys and recycled passwords, and focuses on checking the infected systems for cloud-related files. As in the group’s other attacks, cloud misconfigurations and reused passwords provide easy entry to a victim system. And as before, the group harvests credentials for Secure Shell (SSH) and Server Message Block (SMB) to obtain access to other systems. Both intrusion techniques can spread their respective payloads in a wormlike manner. We found several scripts for this function (to ensure the spread of [payloads in different environments), one of which we had previously documented.](https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html) With a .netrc file to automatically log in using the harvested credentials, the malware looks for app configurations and data based on a search list while going through the connected systems, and sends them to the command-and-control (C&C) server. Figure 2. Scanning for configurations that the group is interested in ----- Figure 3. Checking whether any of the configuration files of targeted services are present in the infected system If at least one of the sought-after configuration files is present in the infected system, the extended credential harvester aggregates all the services’ configuration files into two arrays. Comparing this harvester with the group’s [previous](https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html) [versions, we saw a significant increase in targets.](https://www.trendmicro.com/en_us/research/21/a/malicious-shell-script-steals-cloud-credentials.html) Figure 4. Aggregating the targeted services’ configuration files into two arrays As TeamTNT’s payloads focus on unauthorized mining of Monero, it’s no surprise that the malware also looks for Monero configuration files in the infected system. The malware looks for the presence of Monero wallets in all the systems the group can access. At the end of its routine, the malware tries to delete traces of itself from the infected system. However, our analysis strongly indicates that this is not done effectively. While “history -c” clears the Bash history, some commands continue with their activities and leave traces on other parts of the system. Figure 5. Attempting to clear traces of the routine from the infected system Conclusion ----- Malicious actors actively look for legitimate users credentials in internal networks and systems to facilitate their post-intrusion activities. If in possession of CSP credentials, they could use the cloud services paid by legitimate entities for other malicious activities. Stolen credentials for version control software such as Git also pose significant security risks, including supply chain compromise, since it is highly likely that a malicious user will also have write capability into repositories, and can therefore perform source code modifications that will go unnoticed. In addition, credentials stored in plain text serve as a gold mine for cybercriminals, especially when used in subsequent attacks. Harvested FTP credentials, for example, could lead to old-school website hacking or credential modifications, followed by ransom demands in exchange for access or data restoration. The same goes for vulnerabilities, especially those in unpatched and otherwise unsecured internet-facing systems. To mitigate the risks of this TeamTNT routine and other similar threats, customers are advised to use the secret vaults offered by their CSPs and to follow these best practices: [Enforce the principle of least privilege and adopt the](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/security-technology/best-practices-deploying-an-effective-firewall) [shared responsibility model.](https://www.trendmicro.com/en_us/research/19/j/the-shared-responsibility-model.html) [Replace default credentials with strong and secure passwords, and ensure that security settings of](https://blog.trendmicro.com/are-your-passwords-secure-enough/) different systems’ environments are customized to the organization’s needs. Avoid storing credentials in plain text, and enable multifactor authentication whenever available. Update and patch systems regularly. Consider the security, customization of credentials, and patching of front-facing systems to ensure no gaps can be abused for malicious activities. Trend Micro solutions [Cloud-specific security solutions such as Trend Micro Hybrid Cloud Security can help protect cloud-native](https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html) systems and their various layers. Trend Micro Hybrid Cloud Security is powered by Trend Micro Cloud One™, a security services platform for cloud builders that provides automated protection for continuousintegration and continuous-delivery (CI/CD) pipelines and applications. It also helps identify and resolve security issues sooner and improve delivery time for DevOps teams. The Trend Micro Cloud One platform includes: [Workload Security: runtime protection for workloads](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) [Container Security: automated container image and registry scanning](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-container-image-security.html) [File Storage Security: security for cloud files and object storage services](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-file-storage-security.html) [Network Security: cloud network layer for intrusion prevention system (IPS) security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-network-security.html) [Application Security: security for serverless functions, APIs, and applications](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-application-security.html) [Conformity: real-time security for cloud infrastructure — secure, optimize, comply](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-conformity.html) Indicator of compromise **SHA256** **Detection** ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35 Trojan.SH.YELLOWDYE.A -----