A newly added feature in a previously known cryptomining operation is targeting AWS credentials, according to a report by security firm Cado Security.
The malware group behind this new campaign is known as TeamTNT, a cybercrime group which has been targeting Docker installations. According to TrendMicro researchers, this group has been active at least since April.
TeamTNT Cybercrime Gang
TeamTNT cryptomining operations usually scan the internet for misconfigured Docker systems, with their management APIs exposed and lacking a password. TeamTNT would access the API to run servers inside the Docker installation to initiate DDoS attacks and cryptominers. This behavior is not unseen in such attacks. However, the latest addition to these attacks is rather unique, as the malware group is now stealing AWS (Amazon Web Services) credentials, and is also targeting Kubernetes installations.
The newly added feature is capable of scanning the infected servers for AWS credentials. In case the compromised Docker and Kubernetes systems are running on AWS, the malware group would scan for ~/.aws/credentials and ~/.aws/config. Then, it would copy and upload the files on its command-and-control server.
“The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS .credentials and .config files to the attackers server, sayhi.bplace[.]net“, the report says.
According to Cado Security, TeamTNT’s worm contains code copied from another worm named Kinsing, which is designed to stop the Alibaba Cloud Security tools.
Kinsing was developed and launched by an experienced hacking group and set against web servers. According to the available reports, the malware is targeting a Docker vulnerability due to a misconfiguration of the service. The attack is possible when the web administrators have failed to properly secure Docker installations, creating an opportunity for the attackers.
As for the TeamTNT operation, the researchers suspect that the malware still hasn’t used any of the stolen AWS credentials. Apparently, the researchers sent a collection of credentials to the TeamTNT C&C server, but none of those accounts have been accessed before their report was released.
However, whenever TeamTNT decides to use the stolen credentials, they can either install cryptominers or sell them on underground forums.