Upgraded crypto-mining malware now steals AWS credentials

(Image credit: Shutterstock)

The crypto-mining malware used by the cybercrime group TeamTNT has been updated with new functionality that allows it to steal AWS credentials from infected servers.

The group has been operating since at least April of this year according to a report from Trend Micro, whose researchers discovered its cyptocurrency miner along with a DDoS bot used to target Docker systems while investigating an open directory containing malicious files first discovered by MalwareHunterTeam.

TeamTNT scans the internet searching for misconfigured Docker APIs that have been left exposed online without a password. When the group finds a vulnerable Docker system, it deploys servers inside the installation to launch DDoS attacks and run crypto-mining malware. 

However, TeamTNT is just one of many cybercrime gangs that employs similar tactics in order to take advantage of organizations whose systems are not properly secured online.

First cryptocurrency, now credentials

According to a new report from the UK-based security firm Cado Security, TeamTNT has expanded the scope of its malware to target Kubernetes installations while also adding a new feature that scans infected servers for any AWS credentials.

If an infected Docker or Kubernetes system runs on top of AWS infrastructure, the group scans for AWS credentials and configuration files, copies them and then uploads them to its command-and-control server. To make matters worse, both the ~/.aws/credentials and ~/.aws/config files stolen by TeamTNT are unencrypted and contain plaintext credentials and configuration details for a target's AWS account and infrastructure.

Thankfully though, the group has not yet used any of the stolen credentials according to researchers at Cabo Security who sent a collection of canary credentials to its C&C server which have yet to have been used.

Team TNT and its crypto-mining malware pose a serious threat to organizations as the group will likely be able to boost its profits significantly by either selling the stolen credentials or using them to mine additional cryptocurrency.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.