A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.
According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including âpunk.py,â a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.
It is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.
âThe worm also steals local credentials, and scans the internet for misconfigured Docker platforms,â according to a Monday posting. âWe have seen the attackersâŠcompromise a number of Docker and Kubernetes systems.â
As more businesses embrace cloud and container environments, it has opened up a new attack surface for cybercriminals via misconfiguration. That said, cryptomining threats taking aim at Docker and Kubernetes arenât new. Attackers continue to scan for publicly accessible, open Docker/Kubernetes servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victimâs infrastructure.
Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware. Sometimes the threat is more evolved, as seen in July, when a fresh Linux backdoor called Doki was seen infesting Docker servers to sett the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware.
However, the focus on AWS in this latest set of campaigns â which were also flagged by MalwareHunterTeam â is unique, Cado researchers said.
The attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.
âThe code to steal AWS credentials is relatively straightforward â on execution it uploads the default AWS credentials and config files to the attackersâ server, sayhi.bplace[.]net,â researchers explained. âCurl is used to send the AWS credentials to TeamTNTâs server.â
Interestingly, though the script is written to be a worm, the automated portion of the attack didnât seem to be in full operation during the security firmâs analysis.
âWe sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet,â according to the post. âThis indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isnât currently functioning.â
The script that anchors TeamTNTâs worm is repurposed code from the aforementioned Kinsing malware, researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself. They added that copying code from other tools is common in this area of cybercrime.
âIn turn, it is likely we will see other worms start to copy the ability to steal AWS credentials files too,â they said. âWhilst these attacks arenât particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems.â
As far as attribution, TeamTNT announces itself in numerous references within the wormâs code, according to researchers, plus the group uses a domain called teamtnt[.]red. That domain hosts malware, and the homepage is entitled âTeamTNT RedTeamPentesting.â
TeamTNT has been prolific, and was spotted originally earlier in the year. In April, Trend Micro observed the group attacking Docker containers.
An examination by Cado of one of the mining pools yielding information about the systems that the AWS-capable worm has compromised showed that for the one pool, there were 119 compromised systems, across AWS, Kubernetes clusters and Jenkins build servers.
âSo far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about three XMR,â researchers explained. âThat equates to only about $300, however this is only one of their many campaigns.â
Cado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they arenât needed. Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.
Itâs the age of remote working, and businesses are facing new and bigger cyber-risks â whether itâs collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook**, 2020 in Security: Four Stories from the New Threat Landscape**, presented in conjunction with Forcepoint. We redefine âsecureâ in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.
threatpost.com/docker-registries-malware-data-theft/152734/
threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook
threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook
threatpost.com/icedid-trojan-rebooted-evasive-tactics/158425/
threatpost.com/newsletter-sign/
threatpost.com/self-propagating-malware-docker-ports/154453/
twitter.com/malwrhunterteam/status/1256664761997148161
www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports