TeamTNT group spreads AWS credential-stealing worm

The malware installs cryptominer and steals AWS credentials

AWS credentials-stealing worm targets Docker and Kubernetes systems

Security researchers from Cado Security have published a new report,^[1] detailing the discover of a new botnet that has been active since at least April 2020.^[2] Dubbed TeamTNT, the botnet targets Docker installs and spreads malware capable of abusing victims systems to mine Monero cryptocurrency.

While crypto-malware is nothing new, this self-propagating worm is also capable of stealing Amazon Web Services (AWS) credentials in the background and delivering this information directly to cybercriminals' hands. Researchers said that the newly-discovered malware is relatively unique in regards to its functionality of AWS credential theft.

According to Cado Security post, the worm targets various cloud-based platforms, such as Docker or Kubernetes:

The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems.

The attackers are now concentrating on these platforms for obvious reasons: many companies and organizations are now storing plenty of sensitive data files online, along with backups of their servers. By stealing AWS credentials, malware authors are provided with access to the most valuable information.

Malicious actors abuse the misconfigured APIs

Leaving a misconfigured management APIs exposed can lead to a disaster, as happened to the data management company Attunity,^[3] which exposed sensitive information of its high-profile clients, including Ford and Netflix. Unfortunately, this outcome is not unique, and there are plenty of businesses and organizations that do not manage to protect management APIs from unauthorized access correctly.

The cybercriminal gang TeamTNT, which spreads the data-stealing and crypto-mining worm targets precisely these occurrences – threat actors scan the internet for the vulnerable Docker systems that have the management API not protected by the password. Once inside, threat actors are capable of deploying the malware, as well as running the DDoS attacks.

This type of infection routine is nothing new, has been seen in previous campaigns. Security experts said, however, the worm with this function has never yet been used to steal AWS credentials, however, so TeamTNT attacks are relatively unique at the present time.

The worm attacks AWS, deploys additional malware

TeamTnT not only expanded the platforms that the malware attacks (Kubernetes), but also included a more important functionality within the worm – credential theft of AWS. If the compromised systems are also operating AWS infrastructure, malware scans the ~/.aws/credentials and ~/.aws/config folders, which hold information that is not encrypted. Since the data is exposed in plain text and is not protected, it can be easily read – delivered to the attackers' Command & Control server.

Post-infection, malware delivers the XMRig^[4] miner that can mine Monero and deliver the funds to the threat actors' wallets. TeamTnT gang later deploys more malicious tools on the compromised network, including SSH post-exploitation tool “punk.py,” Tsunami IRC backdoor, Diamorphine rootkit, and others. As evident, the attackers are trying to get as many profits from the botnet as possible.

Researchers at Cado Security claimed that they found 119 compromised systems, although they believe that the number of infected Kubernetes Clusters and Jenkins Build Servers. Nonetheless, it is believed that the real number might be much higher, along with the cash that the gang gained so far:

So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about 3 XMR. That equates to only about $300 USD, however this is only one of their many campaigns.

Experts also claimed that the TeamTnT has not yet put the stolen AWS credential to use, as the team sent the Canary Tokens to TeamTnT and found that the credentials have not yet been accessed. Although criminals could access this data manually – it would leave no footprint.

Once the attackers put the stolen credentials in use, they can increase their profits even further – install a cryptominer into a more powerful AWS EC2 clusters or sell the information on the underground hacking forums.^[5]