A new campaign, tracked as Chimaera, conducted by the TeamTNT group.

Threat actors used a large set of open-source tools in the attacks. Threat actors leverage open-source tools to avoid detection and make hard the attribution of the attacks.

The TeamTNT botnet is a crypto-mining malware operation that has been active and targets Docker installs.The cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware.

The Chimaera campaign is targeting multiple operating systems ( Window, Linux, AWS, Docker, and Kubernetes) and applications, threat actors used a wide set of shell/batch scripts, new open-source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more.

Many malware samples used by the attacker still have zero detection rate from AV software. The campaign is responsible for thousands of infections globally in only a couple of months.

A partial list of the tools used by the group includes:

  • Masscan and port scanner to search for new infection candidates
  • libprocesshider for executing their bot directly from memory
  • Lazagne, an open-source tool for multiple web operating systems, which is used to collect stored credentials from numerous applications.

AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT. Researches have observed of TeamTNT in older campaigns, they are focusing on stealing cloud systems credentials, using infected systems for cryptocurrency mining, and abusing victim’s machines to search and spread to other vulnerable systems.