Researchers fr om Cado Security came across a crypto-mining worm which is able to steal AWS credentials from infected servers. This is the first worm observed that contains such AWS specific functionality.

The malware appears to be the work of the TeamTNT gang, which has been active since April and has been known to target Docker installs. The group’s activity has been detailed by Trend Micro in May this year, and according to the report, TeamTNT usually scans the internet in search of misconfigured Docker containers and infects them with a malicious cryptocurrency miner and a DDoS malware.

However, recently the TeamTNT group has changed its tactics and added misconfigured Kubernetes installations to its target list. The botnet operators also implemented a new feature in their malware that scans the underlying infected servers for any Amazon Web Services (AWS) credentials. Once infecting Docker and Kubernetes systems running on top of AWS servers, the bot scans for ~/.aws/credentials and ~/.aws/config, which are the paths wh ere the AWS CLI stores credentials and configuration details in an unencrypted file. These files are then copied and uploaded to attackers’ command and control server.

The researchers sent credentials created by CanaryTokens.org to the TeamTNT server, but did not observe the group use them. The possible explanation for this may be that TeamTNT “either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.”

The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. The malware also deploys a number of openly available malware and offensive security tools, including punk.py (an SSH post-exploitation tool), a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor.

The researchers have identified two different Monero wallets associated with the recent attacks, which have earned TeamTNT about 3 XMR (nearly $300), however, Cado Security points out that the earned amount could be much higher as this is only one of the group’s many campaigns.