A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS).
The findings come from SentinelOne and Permiso, which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools."
They also overlap with an ongoing TeamTNT campaign disclosed by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking SCARLETEEL attacks to the threat actor, citing infrastructure commonalities.
"TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted.
The attacks, which single out public-facing Docker instances to deploy a worm-like propagation module, are a continuation of an intrusion set that previously targeted Jupyter Notebooks in December 2022.
As many as eight incremental versions of the credential harvesting script have been discovered between June 15, 2023, and July 11, 2023, indicating an actively evolving campaign.
The newer versions of the malware are designed to gather credentials from AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. The harvested credentials are then exfiltrated to a remote server under the threat actor's control.
SentinelOne said the credentials collection logic and the files targeted bears similarities to a Kubelet-targeting campaign undertaken by TeamTNT in September 2022.
Alongside the shell script malware, the threat actor has also been observed distributing a Golang-based ELF binary that acts as a scanner to propagate the malware to vulnerable targets. The binary further drops a Golang network scanning utility called Zgrab.
"This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies," security researchers Alex Delamotte, Ian Ahl, and Daniel Bohannon said. "The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error."
"This actor is actively tuning and improving their tools. Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns."
More connections between SCARLETEEL and TeamTNT emerge
"From what we know about SCARLETEEL, there is demonstrable overlap in techniques between these TeamTNT-like campaigns," Delamotte told The Hacker News. "The SilentBob campaign regularly achieves access, steals credentials, conducts reconnaissance on connected services and systems. SCARLETEEL obtained credentials from a Terraform configuration file, which is similar to the SilentBob activity."
"The most reliable link is the callout from Avigayil Mechtinger at Sysdig: Avi noted the SCARLETEEL 2.0 campaign used a crypto miner with the same Monero wallet address. This is fairly conclusive evidence the campaigns are related." The wallet address in question is 43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U.
Sysdig however said that the use of a common infrastructure notwithstanding, a clear-cut attribution to TeamTNT is difficult due to certain differences in tactics, techniques, and procedures (TTPs).
"There definitely is overlap with some of the infrastructure used by threats such as SCARLETEEL and TeamTNT," Michael Clark, director of threat research at Sysdig, told the publication. "However, there are also differences with the rest of the TTPs observed (i.e., using a custom AWS endpoint) which makes it difficult to do accurate attribution to a single threat actor."
