SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Threat actor continues to build out spam arsenal, primarily targets Amazon Web Services
Description: Cisco Talos has recently received modified versions of the TeamTNT cybercrime group's malicious shell scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances. Besides the primary credential stealer scripts, there are several TeamTNT payloads focused on cryptocurrency mining, persistence and lateral movement using techniques such as discovering and deploying onto all Kubernetes pods in a local network. There is also a script with login credentials for the primary distribution server, and another with an API key that might provide remote access to a tmate shared terminal session. Some of the TeamTNT scripts even contain defense evasion functions focused on disabling Alibaba cloud security tools. The tools used by TeamTNT demonstrate that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes and public cloud providers, which have traditionally been avoided by other cybercriminals who have instead focused on on-premise or mobile environments.
References: https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html
ClamAV signature: Unix.Trojan.TeamTNT-9940866-0
Title: Lazarus Group continues to target blockchain, cryptocurrency companies
Description: The U.S. government warned last week that the Lazarus Group APT continues to target blockchain and cryptocurrency-related companies to generate revenue. The North Korean state-sponsored actor has been active for years, mainly focusing on cyber attacks that could somehow make money for the group. This campaign involves Lazarus Group targeting users with spearphishing emails, then installing a set of malicious apps called “TraderTraitor” that disguise themselves as a legitimate cryptocurrency trading application. The ultimate goal is conducting fraudulent activities on the blockchain, often stealing users’ cryptocurrency wallets.
References:
- https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
- https://duo.com/decipher/cisa-lazarus-apt-targeting-blockchain-orgs-with-tradertraitor-malware
SNORT® SIDs: 59607