ALPS blog

TeamTNT’s Extended Credential Harvester Targets Cloud Services, Other Software

Keeping secrets safe is key to keeping systems secure and preventing supply-chain attacks. Malicious actors often go after secrets in storage mechanisms and harvest credentials found in compromised systems. And credentials stored in plain text that are accessible even without user interaction are not uncommon for DevOps software and are therefore a big security risk.

Malicious actors have been known to harvest cloud service provider (CSP) credentials once they get into their victims’ systems. The cybercriminal group TeamTNT, for example, is no stranger to targeting cloud containers, expanding their arsenal to steal cloud credentials, and exploring other environments and intrusive activities. In the group’s latest attack routine, we found new evidence that TeamTNT has further extended its credential harvesting capabilities to target multiple cloud and non-cloud services in victims’ internal networks and systems post-compromise.

Technical analysis

Figure 1. TeamTNT’s infection chain for harvesting credentials

TeamTNT’s malware is designed to harvest credentials from specific software and services. It infects Linux machines with openings such as exposed private keys and recycled passwords, and focuses on checking the infected systems for cloud-related files.

As in the group’s other attacks, cloud misconfigurations and reused passwords provide easy entry to a victim system. And as before, the group harvests credentials for Secure Shell (SSH) and Server Message Block (SMB) to obtain access to other systems. Both intrusion techniques can spread their respective payloads in a wormlike manner. We found several scripts for this function (to ensure the spread of payloads in different environments), one of which we had previously documented.

With a .netrc file to automatically log in using the harvested credentials, the malware looks for app configurations and data based on a search list while going through the connected systems, and sends them to the command-and-control (C&C) server.

Figure 2. Scanning for configurations that the group is interested in
Figure 3. Checking whether any of the configuration files of targeted services are present in the infected system

If at least one of the sought-after configuration files is present in the infected system, the extended credential harvester aggregates all the services’ configuration files into two arrays. Comparing this harvester with the group’s previous versions, we saw a significant increase in targets.

Figure 4. Aggregating the targeted services’ configuration files into two arrays

As TeamTNT’s payloads focus on unauthorized mining of Monero, it’s no surprise that the malware also looks for Monero configuration files in the infected system. The malware looks for the presence of Monero wallets in all the systems the group can access.

At the end of its routine, the malware tries to delete traces of itself from the infected system. However, our analysis strongly indicates that this is not done effectively. While “history -c” clears the Bash history, some commands continue with their activities and leave traces on other parts of the system.

Figure 5. Attempting to clear traces of the routine from the infected system


Malicious actors actively look for legitimate users’ credentials in internal networks and systems to facilitate their post-intrusion activities. If in possession of CSP credentials, they could use the cloud services paid by legitimate entities for other malicious activities. Stolen credentials for version control software such as Git also pose significant security risks, including supply chain compromise, since it is highly likely that a malicious user will also have write capability into repositories, and can therefore perform source code modifications that will go unnoticed.

In addition, credentials stored in plain text serve as a gold mine for cybercriminals, especially when used in subsequent attacks. Harvested FTP credentials, for example, could lead to old-school website hacking or credential modifications, followed by ransom demands in exchange for access or data restoration. The same goes for vulnerabilities, especially those in unpatched and otherwise unsecured internet-facing systems.

To mitigate the risks of this TeamTNT routine and other similar threats, customers are advised to use the secret vaults offered by their CSPs and to follow these best practices:

  • Enforce the principle of least privilege and adopt the shared responsibility model.
  • Replace default credentials with strong and secure passwords, and ensure that security settings of different systems’ environments are customized to the organization’s needs.
  • Avoid storing credentials in plain text, and enable multifactor authentication whenever available.
  • Update and patch systems regularly. Consider the security, customization of credentials, and patching of front-facing systems to ensure no gaps can be abused for malicious activities.

Trend Micro solutions

Cloud-specific security solutions such as Trend Micro Hybrid Cloud Security can help protect cloud-native systems and their various layers. Trend Micro Hybrid Cloud Security is powered by Trend Micro Cloud One™, a security services platform for cloud builders that provides automated protection for continuous-integration and continuous-delivery (CI/CD) pipelines and applications. It also helps identify and resolve security issues sooner and improve delivery time for DevOps teams. The Trend Micro Cloud One platform includes:


Featured News