Cryptomining botnet stealing aws credentials

Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentaryThreatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint.

H��W�n[G}�W�C؀y��]��Z�I’��<$�MQ�”��Iʊ�맖�h�� ���յ�s�Zg��@g�(@��O��W0��?�0[���7��2�M�ڬ���d1�W�A2g���`�[k��ufr���’�5&��)�ZcM�s��”��5V�,/�UYQ��/ond���f�֯�����������ˁ������J����0x�k�/��l�uh�K�L��@�Y�\TEVz|��9�C �S�a 7��� �flxU�p�0Kå„�a�r�.��yN�;���n�F�g#��+2|�,�����f��E’�?�/���|}_i�),�”_*W�!�`x�.��c��E�–�82C��#_�i���~S��f}��b��j�r��’�O�GZ”�N��)�[�y��,y������D���߃����’���%6�ߪe�ZNx˕94��]H�����r9���UsM���SxW�ܤd+��]�ɂûc�� p6�4�s��l��?K���”���Z9�5�V`�i��V��_}sh�!���!%L0�����14U�b,n�%L���]1��^���%��� �h���c��RѬ�.��”��?L�������� 3fE�� “��t������k�\��R=�4x�?&(}A�~��”����&t*8″�-C7-�n��FT �%k�c*V�GT���’6�C��y���l��� �U-%%Uִ*�kp#�H����P`y�qq�sD%p�y$!�*uLt5���G� H�a�T��D%��l�y�K�{t�#�����x&Y�(Mx��⪕�֨�ڔG�W�HŸ����m��pEO��_���.���E!�OyO�5� �Q�r[��~t�� �� o��i݋P��ބrڼ�P��K��k��P#Z*Ӻx*eV��4c��/�O˞����)�X/纹�’�N�’�/�%�e/�4Ɵ��%��kI~Op��*�N9c��Ő\?u�pF?ȋ,���U�%�N����$$?F}.
Based on the configuration file, it uses the mining pool “” and the wallet address is: 4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh.

We do not have accurate information about the current value of this wallet, but a Google search lists a Chinese website that has some information around malicious Monero wallets. At the time of their writing, this wallet had 157XMR, which is around $6,700.00 USD.


This malware does not stop at running a cryptominer. It attempts to spread itself using three different techniques to create a cryptomining botnet.
One technique it uses is of particular interest as it uses the EternalBlue exploit and DoublePulsar backdoor, which was used by the infamous Wannacry ransomware back in 2017.

TeamTNT has now also expanded its attacks to target Kubernetes installations.

TeamTNT now steals AWS credentials

But while expanding its targets base is generally pretty important, Cado researchers said there’s even a bigger update — namely a new feature that scans the underlying infected servers for any Amazon Web Services (AWS) credentials.

If the infected Docker and Kubernetes systems run on top of AWS infrastructure, the TeamTNT gang scans for ~/.aws/credentials and ~/.aws/config, and copies and uploads both files onto its command-and-control server.

Both of these files are unencrypted and contain plaintext credentials and configuration details for the underlying AWS account and infrastructure.

Cado researchers believe the attacker has not yet moved to use any of the stolen credentials.

A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.

According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including “,” a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.

It is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.

“The worm also steals local credentials, and scans the internet for misconfigured Docker platforms,” according to a Monday posting.

Amazon Web Services (AWS) is under attack. It’s under attack by a group called TeamTNT, which is using a cryptomining worm to collect credentials. Once log in information is acquired, the worm dispatches XMRig to mine Monero cryptocurrency. Stealing data and access have always had value, but not compute.
But only recently has stealing compute had any value, a problem which was an unintended side effect of cryptomining. Even prior to TeamTNT, we have witnessed events and incidents where access was leaked and a $500,000 bill of compute was run up overnight by cryptominers.

Compute is now more valuable than data or access, especially cloud access and cloud compute which are highly sought. But even stolen hardware compute has value now.


The Internet of Things is creating serious new security risks. We examine the possibilities and the dangers.

Read now

Security researchers have discovered what appears to be the first crypto-mining malware operation that contains functionality to steal AWS credentials from infected servers.

This new data-stealing feature was spotted in the malware used by TeamTNT, a cybercrime group that targets Docker installs.

The group has been active since at least April, according to research published earlier this year by security firm Trend Micro.

Per the report, TeamTNT operates by scanning the internet for Docker systems that have been misconfigured and have left their management API exposed on the internet without a password.

The group would access the API and deploy servers inside the Docker install that would run DDoS and crypto-mining malware.

Once on the infected system, the bot can look for exposed user credentials on the underlying AWS infrastructure. In this case, it is looking for ~/.aws/credentials and ~/.aws/config directories where AWS Command Line Interface (CLI) typically stores unencrypted files containing credentials and configuration details. Once found, the files are copied and uploaded to the attacker’s command-and-control server using curl.

“The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS credentials and config files to the attackers’ server,” Cado Security said.

Once the infrastructure has been compromised, the bot sets up its own containers to mine Monero cryptocurrency and to scan for additional Docker and Kubernetes servers.

Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems,” Cado Security said.

Crypto-mining campaigns frequently borrow techniques and code from each other. In this case, TeamTNT copied code from another worm called Kinsing. Cado Security said other worms could start stealing AWS credentials, as well.

“It is likely we will see other worms start to copy the ability to steal AWS Credentials files too,” Cado Security said.

While there have been a number of malware campaigns targeting Docker and Kubernetes systems, and attacks looking for hard-coded or forgotten credentials, this AWS-specific functionality is new, said Cado Security.
Firewall rules can limit access to Docker APIs, and it is safer to whitelist systems that should be allowed access.

The threat actor’s goal is to essentially install a cryptomining bot that also moves laterally across the local network and is capable of spreading to public IPs. There is no doubt that installing cryptomining trojans seems to be a lucrative business for hackers as we have been seeing an upward trend of this activity not only on Windows, but also on Linux and IoT platforms.

This campaign is also interesting as it combines high-profile techniques into its arsenal, such as the EternalBlue exploit and DoublePulsar backdoor used in the infamous Wannacry ransomware. The attack strategy is also developing as they are expanding their attack exploits arsenal.
One downside of this group’s TTP (Techniques, Tactics and Procedure) is their infrastructure.

Leave a Reply

Your email address will not be published.