Comment
Author: Admin | 2025-04-28
That are commonly used in other campaigns. Next, it blackholes the docker registry by writing it's hostname to /etc/hosts with an IP of 0.0.0.0 This completely blocks other attackers from pulling their images/tools onto the box, eliminating the risk of competition. Keeping the Alpine image named as docker/firstrun allows the attacker to still use the docker API to spawn an alpine box they can use to break back in, as it is already downloaded so the blackhole has no effect. Conclusion This malware sample, despite being primarily scripts, is a sophisticated campaign with a large amount of redundancy and evasion that makes detection challenging. The usage of the hid process hider script is notable as it is not commonly seen, with most malware opting to deploy clunkier rootkit kernel modules. The Docker Registry blackhole is also novel, and very effective at keeping other attackers off the box. The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one. This makes it versatile and able to extract as much value from infected machines as possible. The payloads seem similar to payloads deployed by other threat actors, with the AWS stealer in particular having a lot of overlap with scripts attributed to TeamTNT in the past. Even the C2 IP points to the same provider that has been used by TeamTNT in the past. It is possible that this group is one of the many copycat groups that have built on the work of TeamTNT. IoCs Hashes user 5ea102a58899b4f446bb0a68cd132c1d tshd 73432d368fdb1f41805eba18ebc99940 gsc 5ea102a58899b4f446bb0a68cd132c1d aws 25c00d4b69edeef1518f892eff918c2c base64 ec2882928712e0834a8574807473752a IPs 45[.]9.148.193 103[.]127.43.208 Yara Rule rule Stealer_Linux_CommandoCat { meta: description = "Detects CommandoCat aws.sh credential stealer script" license = "Apache License 2.0" date = "2024-01-25" hash1 = "185564f59b6c849a847b4aa40acd9969253124f63ba772fc5e3ae9dc2a50eef0" strings: // Constants $const1 = "CRED_FILE_NAMES" $const2 = "MIXED_CREDFILES" $const3 = "AWS_CREDS_FILES" $const4 = "GCLOUD_CREDS_FILES" $const5 = "AZURE_CREDS_FILES" $const6 = "VICOIP" $const7 = "VICHOST" // Functions $func1 = "get_docker()" $func2 = "cred_files()" $func3 = "get_azure()" $func4 = "get_google()" $func5 = "run_aws_grabber()" $func6 = "get_aws_infos()" $func7 = "get_aws_meta()" $func8 = "get_aws_env()" $func9 = "get_prov_vars()" // Log Statements $log1 = "no dubble" $log2 =
Add Comment