Researchers Discover Crypto-mining Worm That Steals AWS Credentials


Researchers from Cado Security firm have detected a crypto-mining worm that steals Amazon Web Services (AWS) credentials from infected servers. According to their observation, this is the first worm that contains such AWS specific functionality

August 18, 2020 | AtoZ MarketsCybersecurity researchers have discovered what appears to be the first crypto-mining malware operation that contains functionality to steal AWS credentials from infected servers. The researchers spotted this new data-stealing feature in the malware used by TeamTNT, a cybercrime group that targets Docker installs.

The group has been active since at least April, according to research published earlier this year by security firm Trend Micro.

How TeamTNT operate

Per the report, TeamTNT operates by scanning the internet for misconfigured Docker systems. They also scan for systems that expose their management API on the internet without a password.

The group would access the API and deploy servers inside the Docker install that would run DDoS and crypto-mining malware. Their tactics are not as unique as multiple other cybercrime groups using the same playbook.

But in a new report published Aug. 17, UK security firm Cado Security says the TeamTNT gang has recently updated its mode of operation.

Cado researchers say that, besides the original functionality, TeamTNT has now also expanded its attacks to target Kubernetes installations.

Read also: ACSC Exploited Vulnerabilities of Cryptojacking Malware Attacks

Has the attacker used the stolen AWS Credentials?

Cado researchers believe the attacker has not yet moved to use any of the stolen credentials. They said they sent a collection of canary credentials to the TeamTNT C&C server, but none of those accounts have been accessed prior to Aug. 17, when they published their research.

Nevertheless, when the attackers decide to do so, TeamTNT stands to seriously boost its profits, either by installing crypto-mining malware in more powerful AWS EC2 clusters directly or by selling the stolen credentials on the black market.

Currently, Cado has only a limited view of TeamTNT’s operation. The security firm has been able to track only a few of the Monero wallet addresses that the group uses to collect mined funds. While TeamTNT seems to have made only about $300, in reality, the group has made many many times more. The reason is that crypto-mining botnets usually employ thousands of different wallet addresses, to make tracking or seizing funds harder.

Think we missed something? Let us know in the comment section below.

    Share Your Opinion, Write a Comment