Cado Security Identified a Crypto-Mining Worm to Steal AWS Credentials


Cado Security has discovered a crypto-mining worm that attempts to steal credentials belonging to Amazon Web Services (AWS) from organizations whose networks it has infiltrated.

Run by a group of attackers who call themselves TeamTNT, several Docker and Kubernetes systems have been infiltrated by the worm, Cado’s security researchers show.

The vulnerability also checks for and exfiltrates local passwords on the infected system, and begins searching the Internet for misconfigured Docker platforms, to spread to them.

The targeted AWS credentials are stored in an unencrypted file at ~/.aws/credentials, and the malware extracts the details from the attackers’ server by exfiltrating the.credentials file (together with the.config file stored at ~/.aws/config).

“We submitted credentials provided by to TeamTNT, but they have not yet been seen in use. This indicates that either the credentials are manually evaluated and used by TeamTNT, or any automation they may have created is not currently working, “say the researchers.

On the compromised systems, the worm deploys publicly available malware and offensive security tools, such as (SSH post-exploitation tool), a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor.

The TeamTNT worm can also scan for open Docker APIs, execute Docker images and install itself. It uses XMRig to mine virtual currency for Monero and it generates revenue for the attackers.

The investigators identified two Monero wallets related to the campaign. The attackers seem to have made only around $300 to date, but this is believed to be just one of their campaigns.

One of the employed mining pools reveals that roughly 119 systems might have been compromised, including Kubernetes clusters and Jenkins build servers.

Analysis of the worm revealed numerous references to TeamTNT, as well as a link to the malware-hosting domain teamtnt[.]red, which features a homepage titled “ TeamTNT RedTeamPentesting.

The TeamTNT malware contains code copied from a worm called Kinsing, the researchers say. With most crypto-mining worms featuring code copied from predecessors, Cado Security expects future threats to include the ability to steal AWS credentials as well.

“Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems , ” the security researchers conclude.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.