A novel file uploaded to VirusTotal on Feb. 25 is linked to the defunct and notorious threat actor TeamTNT. The discovery has researchers questioning if threat actors behind TeamTNT are regrouping or if the sample is simply an artifact of the adversary.
TeamTNT, best known for its attacks on Amazon Web Services (AWS) cloud environments, claimed to have “Quit the Szene” in a tweet on Nov. 17, 2021.
According to researchers at Cado Security, the file uploaded to VirusTotal in February has similar tactics, techniques and procedures (TTPs) to those exhibited by TeamTNT.
In a Thursday blog post, Cado reported the file it found in VirusTotal had a cryptocurrency wallet ID that’s been previously attributed to TeamTNT, a group it have been tracking since 2020. At the time, TeamTNT made a name for itself as the first crypto-mining worm to steal AWS credentials.
Matt Muir, a threat intelligence researcher at Cado Security, explained to SC Media that the recent malware sample uploaded to VirusTotal had certain behaviors that were similar to the malware distributed by TeamTNT. For starters, Muir said it had a custom process hider, meaning that it could obfuscate an application’s process so an administrator could not discover the malware. “They also used fake user names that TeamTNT is known to use, such as [email protected],” said Muir.
Muir explained that Cado’s research team discovered this malware after reading a Sysdig blog that described the SCARLETEEL campaign, a sophisticated cloud campaign that resulted in stolen proprietary