Researchers find AWS creds stealing worm

Security researchers say they have encountered self-propagating malware, a so-called worm, that on top of attempting to mine cryptocurrency, also tries to steal login credentials for Amazon Web Services accounts.

Cado Security said the crypto-jacking TeamTNT worm scans for credentials that are stored in the AWS command line interface shell in an unencrypted file.

If found, the credentials are sent to the attackers' server which is currently hosted on a network allocated to a company with an address in Germany.

With local AWS credentials taken, the worm also scans the internet for misconfigured Docker and Kubernetes orchestration platforms to spin up images and to install itself in a new container.

Cado said it is the first time it has seen such AWS cred-stealing functionality.

The security vendor said it found 119 compromised systems, some of which were identifiable as Kubernetes clusters and Jenkins build servers.

The servers were found as TeamTNT attackers deploy the XMRig Monero cryptocurrency mining tool as well, and Cado was able to monitor one of the pools used to gather information on the compromised servers.

TeamTNT appears to have copied code from the earlier Kinsing worm that is used to stop the Alibaba Cloud Security service.

The worm code appeared first in May this year, when the MalwareHunterTeam Twitter account posted details on it, and Trend Micro provided further analysis shortly after.

At the time, the related worm variant dropped crypto miners and hosted a distributed denial of service bot, using Alpine Linux containers. 

Users are advised to work out where their AWS credentials files are stored, and to delete them if not needed.

Firewall rules to limit access to Docker application programming interfaces are also recommended, using a whitelist approach, Cado suggested.