It is not just a double whammy! The researchers at cybersecurity firm, Cado Security, say the functionality of TNT’s cryptomining worm steals AWS credentials, which reportedly is a first of its kind. Operated by a notorious group called TeamTNT, the worm has been active and known since at least April 2020. It has already compromised many Docker and Kubernetes systems and has upgraded recently with credential snooping tactics.
How it Works
The AWS CLI credentials are stored in an unencrypted file at ~/.aws/credentials. The malware steals this information by exfiltrating the .credentials file along with the additional configuration details stored in the .config file at ~/.aws/config on the attackers’ server. To test the modus operandi, the researchers sent credentials created by CanaryTokens.org to the TNT group. However, these have not been used yet. This indicates that TNT manually assesses and controls the use of credentials or have an automated function that is currently offline.
The Extra Baggage
On the infected systems, the malware searches local credentials for exfiltration and scans the Internet for misconfigured Docker platforms to enable lateral spread. Post exploitation, the worm deploys the XMRig mining tool to mine Monero cryptocurrency. The researchers said that one of the campaigns has already earned TNT about 3 XMR which is worth $300.
Once the system is compromised, the worm also deploys some other payloads and offensive security tools, such as punk.py (SSH post-exploitation tool), a log cleaning tool, Diamorphine rootkit, and the Tsunami IRC backdoor.
The research team tracking TNT’s movement spotted a link to the malware-hosting domain teamtnt[.]red, which features a homepage titled “TeamTNT RedTeamPentesting.”
The TNT worm contains code copied from a previously known worm, Kinsing. The researchers believe that most cryptomining worms inherit their code from their predecessors, thus, we need to be vigilant in the future as such threats may include the ability to steal AWS credentials as well.