AWS Cryptojacking Worm Spreads Through the Cloud

The malware harvests AWS credentials and installs Monero cryptominers.

A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.

According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including “punk.py,” a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.

It is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.

“The worm also steals local credentials, and scans the internet for misconfigured Docker platforms,” according to a Monday posting. “We have seen the attackers…compromise a number of Docker and Kubernetes systems.”

As more businesses embrace cloud and container environments, it has opened up a new attack surface for cybercriminals via misconfiguration. That said, cryptomining threats taking aim at Docker and Kubernetes aren’t new. Attackers continue to scan for publicly accessible, open Docker/Kubernetes servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim’s infrastructure.

Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware. Sometimes the threat is more evolved, as seen in July, when a fresh Linux backdoor called Doki was seen infesting Docker servers to sett the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware.

However, the focus on AWS in this latest set of campaigns – which were also flagged by MalwareHunterTeam – is unique, Cado researchers said.

Attacking AWS

The attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.

“The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS credentials and config files to the attackers’ server, sayhi.bplace[.]net,” researchers explained. “Curl is used to send the AWS credentials to TeamTNT’s server.”

Interestingly, though the script is written to be a worm, the automated portion of the attack didn’t seem to be in full operation during the security firm’s analysis.

“We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet,” according to the post. “This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.”

The script that anchors TeamTNT’s worm is repurposed code from the aforementioned Kinsing malware, researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself. They added that copying code from other tools is common in this area of cybercrime.

“In turn, it is likely we will see other worms start to copy the ability to steal AWS credentials files too,” they said. “Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems.”

TeamTNT – It’s Dynamite

As far as attribution, TeamTNT announces itself in numerous references within the worm’s code, according to researchers, plus the group uses a domain called teamtnt[.]red. That domain hosts malware, and the homepage is entitled “TeamTNT RedTeamPentesting.”

TeamTNT has been prolific, and was spotted originally earlier in the year. In April, Trend Micro observed the group attacking Docker containers.

An examination by Cado of one of the mining pools yielding information about the systems that the AWS-capable worm has compromised showed that for the one pool, there were 119 compromised systems, across AWS, Kubernetes clusters and Jenkins build servers.

“So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about three XMR,” researchers explained. “That equates to only about $300, however this is only one of their many campaigns.”

Cado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren’t needed. Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.

 

Suggested articles