Upgraded Crypto-Mining Malware Steals AWS Credentials

The crypto-mining malware used by the cybercrime group TeamTNT has been updated with new functionality that allows it to steal AWS credentials from infected servers.

The group has been working since at least April of this year based on a report from Pattern Micro, whose researchers found its cryptocurrency miner together with a DDoS bot used to focus on Docker methods whereas investigating an open listing containing malicious files first found by MalwareHunterTeam.

TeamTNT scans the web searching for misconfigured Docker APIs that have been left uncovered on-line without a password. When the group finds a susceptible Docker system, it deploys servers inside the set up to launch DDoS assaults and run crypto-mining malware.

However, TeamTNT is only one of many cybercrime gangs that employ comparable ways with a purpose to benefit from organizations whose methods are not properly secured on-line.

The first cryptocurrency, now credentials

According to a new report from the UK-based safety firm Cado Safety, TeamTNT has expanded the scope of its malware to focus on Kubernetes installations whereas additionally including a brand new function that scans infected servers for any AWS credentials.

If a contaminated Docker or Kubernetes system runs on top of AWS infrastructure, the group scans for AWS credentials and configuration files, copies them and then uploads them to its command-and-control server. To make issues worse, each the ~/.aws/credentials and ~/.aws/config files stolen by TeamTNT are unencrypted and contain plaintext credentials and configuration particulars for a goal’s AWS account and infrastructure.

Thankfully although, the group has not yet used any of the stolen credentials based on researchers at Cabo Safety who despatched a collection of canary credentials to its C&C server which have yet to have been used.

Team TNT and its crypto-mining malware pose a critical risk to organizations because the group will doubtless be capable to enhance its earnings considerably by both promoting the stolen credentials or utilizing them to mine further cryptocurrency.