Black-T

"targeting exposed Docker daemon APIs ... on compromised cloud systems"; "downloaded ... to the compromised cloud system that maintained an exposed Docker daemon API"

"memory password scraping operations via mimipy and mimipenguins"; "Upon uncovering any passwords residing in memory... written to ... output.txt"

"group known to target AWS credential files"; "still targeting AWS credential and configuration files located on compromised AWS cloud systems"; files collected include "/root/.aws/"

"capability to use three different network scanning tools to identify additional exposed Docker daemon APIs... Both masscan and pnscan... addition of zgrab"; "addition of a new scanning port, TCP 5555"; "performs scanning operations on a random CIDR 8 network range"

"downloaded from the TeamTNT domain... to the compromised cloud system"; "downloads two files, which execute directly into bash"; multiple hxxps://teamtnt[.]red/... payload URLs

"tar files... then sent to the URL hxxps://teamtnt[.]red/only_for_stats/dup.php"; "output.txt ... uploaded to hxxps://teamtnt[.]red/only_for_stats/dup.php"

"mine for Monero (XMR)"; "downloads the known XMR miner software sbin_u"; "configures the XMR mining software to use... XMR wallet address"

"naming 8.8.4.4 and 8.8.8.8 as new DNS servers... flushing all established IP table rules using the command iptables -F"; "setting Path Variables"

"remove known cryptojacking malware already in place"; "removal and evasion of Aliyun and Tencent cloud security software"; "targets Kinsing... and other... miners"