Cado Security has identified a crypto-mining worm that attempts to steal Amazon Web Services (AWS) credentials belonging to the organizations whose systems it has infected.
Operated by a group of attackers who call themselves TeamTNT, the worm has compromised many Docker and Kubernetes systems, Cado’s security researchers reveal.
On the infected system, the threat also searches for and exfiltrates local credentials, and starts scanning the Internet for misconfigured Docker platforms, to spread to them.
The targeted AWS credentials are stored in an unencrypted file at ~/.aws/credentials, and the malware steals the information by exfiltrating the .credentials file (along with the .config file stored at ~/.aws/config) to the attackers’ server.
“We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet. This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning,” the researchers say.
On the compromised systems, the worm deploys publicly available malware and offensive security tools, such as punk.py (SSH post-exploitation tool), a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor.
The TeamTNT worm can also scan for open Docker APIs, execute Docker images and install itself. It uses XMRig to mine for Monero virtual currency and generate revenue for the attackers.
The researchers identified two Monero wallets associated with the campaign. To date, the attackers appear to have made only around $300, but this is believed to be only one of their campaigns.
One of the employed mining pools reveals that roughly 119 systems might have been compromised, including Kubernetes clusters and Jenkins build servers.
Analysis of the worm revealed numerous references to TeamTNT, as well as a link to the malware-hosting domain teamtnt[.]red, which features a homepage titled “TeamTNT RedTeamPentesting.”
The TeamTNT malware contains code copied from a worm called Kinsing, the researchers say. With most crypto-mining worms featuring code copied from predecessors, Cado Security expects future threats to include the ability to steal AWS credentials as well.
“Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems,” the security researchers conclude.