A malicious cryptocurrency miner and DDoS worm that has been targeting Docker systems for months now also steals Amazon Web Services (AWS) credentials.
The original threat
TeamTNT’s “calling card” appears when the worm first runs on the target installation:
- Scan for open Docker daemon ports (i.e., misconfigured Docker containers)
- Create an Alpine Linux container to host the coinminer and DDoS bot
- Search for and delete other coin miners and malware
- Configure the firewall to allow ports that will be used by the other components, sinkhole other domain names, exfiltrate sensitive information from the host machine
- Download additional utilities, a log cleaner, and a tool that attackers may use to pivot to other devices in the network (via SSH)
- Download and install the coinminer
- Collect system information and send it to the C&C server
The latest iteration has been equipped with new capabilities, Cado Security researchers found.
The worm still scans for open Docker APIs, then spins up Docker images and install itself in a new container, but it now also searches for exploitable Kubernetes systems and files containing AWS credentials and configuration details – just in case the compromised systems run on the AWS infrastructure.
The code to steal these files is relatively straightforward, the researchers note, and they expect other worms to copy this new ability soon.
But are the attackers using the stolen credentials or are they selling them? The researchers tried to find out by sending “canary” AWS keys to TeamTNT’s servers, but they haven’t been used yet.
“This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning,” they concluded.
Nevertheless, they urge businesses to:
- Identify systems that are storing AWS credential files and delete them if they aren’t needed
- Use firewall rules to limit any access to Docker APIs
- Review network traffic for connections to mining pools or using the Stratum mining protocol
- Review any connections sending the AWS Credentials file over HTTP