Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Crypto-Mining Worm Targets AWS Credentials

Cado Security has identified a crypto-mining worm that attempts to steal Amazon Web Services (AWS) credentials belonging to the organizations whose systems it has infected.

Operated by a group of attackers who call themselves TeamTNT, the worm has compromised many Docker and Kubernetes systems, Cado’s security researchers reveal.

Cado Security has identified a crypto-mining worm that attempts to steal Amazon Web Services (AWS) credentials belonging to the organizations whose systems it has infected.

Operated by a group of attackers who call themselves TeamTNT, the worm has compromised many Docker and Kubernetes systems, Cado’s security researchers reveal.

On the infected system, the threat also searches for and exfiltrates local credentials, and starts scanning the Internet for misconfigured Docker platforms, to spread to them.

The targeted AWS credentials are stored in an unencrypted file at ~/.aws/credentials, and the malware steals the information by exfiltrating the .credentials file (along with the .config file stored at ~/.aws/config) to the attackers’ server.

“We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet. This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning,” the researchers say.

On the compromised systems, the worm deploys publicly available malware and offensive security tools, such as punk.py (SSH post-exploitation tool), a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor.

The TeamTNT worm can also scan for open Docker APIs, execute Docker images and install itself. It uses XMRig to mine for Monero virtual currency and generate revenue for the attackers.

The researchers identified two Monero wallets associated with the campaign. To date, the attackers appear to have made only around $300, but this is believed to be only one of their campaigns.

One of the employed mining pools reveals that roughly 119 systems might have been compromised, including Kubernetes clusters and Jenkins build servers.

Analysis of the worm revealed numerous references to TeamTNT, as well as a link to the malware-hosting domain teamtnt[.]red, which features a homepage titled “TeamTNT RedTeamPentesting.”

The TeamTNT malware contains code copied from a worm called Kinsing, the researchers say. With most crypto-mining worms featuring code copied from predecessors, Cado Security expects future threats to include the ability to steal AWS credentials as well.

“Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems,” the security researchers conclude.

Related: Kinsing Linux Malware Deploys Crypto-Miner in Container Environments

Related: Vollgar Campaign Targets MS-SQL Servers With Backdoors, Crypto-Miners

Related: Misconfigured Docker Registries Expose Thousands of Repositories

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.