We recently spotted new attacks where, again, threat actors used shell scripts to perform their malicious activities. Based on previous attacks, these malicious scripts were typically used to deploy cryptocurrency miners. But recent cases involving these fresh samples highlighted how the scripts are developed, as they now serve other purposes besides being downloaders for cryptominers.
Based on its Command and Control URLs, some strings, crypto keys, and the language used on the samples, we deduced that this latest attack came from the TeamTNT arsenal.
The malicious shell script used here was developed in Bash. Compared to past similar attacks, the development technique was much more refined for this script; there were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.
Source: Trend Micro