Crypto-Mining Malware Steals AWS Credentials from 119 Compromised Systems

According to a new security report by UK cybersecurity firm Cado Security, a crypto-mining malware has been stealing Amazon Web Services (AWS) credentials and config files from infected systems. 

The malware made by the hacking group TeamTNT has been witnessed to have compromised 119 Docker and Kubernetes systems, as the worm scans the internet for such misconfigured systems. 

Cado Security noted that not only do the worms steal AWS credentials from compromised systems, they also collect local credentials from infected systems.  

Explaining how the worm malware works, the security firm stated that the hackers use a straightforward approach in acquiring these credentials. 

Since AWS uses unencrypted files to store credentials and config documents at ~/.aws/credentials and ~/.aws/config, the group scans any infected system that runs on the AWS infrastructure, thus copying and uploading these files to its main server, sayhi.bplace[.]net. 

Further investigation revealed that the stolen credentials had not been used. Cado Security stated that the credentials created by were sent to the TeamTNT server, but it still shows that the files have not been accessed. 

“This indicates that TeamTNT either manually assesses and uses the credentials, or any automation they may have created isn’t currently functioning,” the security firm added. 

As per the report, this appears to be the first time that a crypto-mining malware will be deployed to attack infected servers’ AWS infrastructure. 

However, since most cybercrime groups develop this malware by copying the existing codes, it will not be surprising to see more groups launch sophisticated malware to disrupt the AWS systems. 

TeamTNT is a cybercrime group believed to have gone live in April this year. The group functions by scanning the internet for Docker systems with vulnerable management APIs that are not passworded.    

The API is usually accessed using masscan before DDoS, and crypto-mining malware is installed on the Docker systems. 

Cado Security stated that TeamTNT tactics are no different from other cybercrime groups in existence.  The security outfit disclosed that TeamTNT’s crypto-mining malware is a replica of another worm designed by Kinsing to compromise Alibaba’s Cloud Security tools. 

TeamTNT Mining Monero (XMR)

Furthermore, the malware deploys the Monero crypto-jacking mining protocol, XMRig into infected systems, to mine Monero (XMR) for the group, as Cado Security noted that the malware has mine 3 XMR ($300) successfully. 

Investigations show that two Monero wallet addresses have been identified to be linked to the attack. Even though Cado Security has only identified just two Monero wallet addresses, there is a strong indication that TeamTNT has illegally mined more XMR, as crypto-mining botnets usually use different wallet addresses, to make tracking difficult.  

Meanwhile, Coinfomania reported that a Monero hack program generated $1.69 million annually.