Cryptojacking worm steals AWS credentials from Docker systems

Image: 수안

A cybercrime group known as TeamTNT is using a crypto-mining worm to steal plaintext AWS credentials and config files from compromised Docker and Kubernetes systems.

TeamTNT's cryptocurrency mining botnet was first reported in May by MalwareHunterTeam and further analyzed by Trend Micro researchers who discovered its affinity for misconfigured Docker containers.

According to researchers at Cado Security this is the first-ever worm that comes with AWS credential theft functionality on top of run-of-the-mill cryptomining modules.

This botnet uses already infected servers to execute an open-source masscan IP port scanner instance that scans for exposed Docker APIs (and Kubernetes systems as later discovered), installing itself in new containers on any misconfigured servers it finds.

AWS credentials exfiltration

Once it infects a server, the TeamTNT worm will scan the system for unencrypted files used by AWS CLI to store credentials and configuration information, located at ~/.aws/credentials and ~/.aws/config.

After it finds the data it looks for, the worm will upload it to attacker-controlled command-and-control servers using curl.

As the researchers found, the attackers either manually checking the stolen AWS credentials or their automated checks aren't yet operational.

"We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet," the report says.

"This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning."

Crypto-mining operation

TeamTNT will also deploy an XMRig CPU miner on compromised systems that starts mining for Monero (XMR) cryptocurrency.

All the cash generated from this crypto-mining operation is sent to attackers' Monero wallets, with the researchers having found only two wallets connected to this campaign with 3 XMR in them (worth around $300).

However, the total amount should be a lot larger given that crypto-mining campaigns commonly use hundreds of wallets to store the operators' illicit gains.

"Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems," the researchers said.

To defend against TeamTNT worm's attacks, Cado Security recommends deleting any files storing AWS credentials and config info in plaintext, block access to Docker APIs using firewall whitelist rules, and monitor connections made to mining pools using the Stratum mining protocol.