Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems.
These attacks are indicative of a wider trend. As organisations migrate their computing resources to cloud and container environments, we are seeing attackers following them there.
The AWS CLI stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.
The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS .credentials and .config files to the attackers server, sayhi.bplace[.]net:
Curl is used to send the AWS credentials to TeamTNT’s server, which responds with the message “THX”:
We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet. This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.
Most crypto-mining worms are an amalgamation of previous worms as authors copy and paste their competitors code. TeamTNT’s worm contains code copied from another worm named Kinsing, which is designed to stop the Alibaba Cloud Security tools:
In turn, it is likely we will see other worms start to copy the ability to steal AWS Credentials files too.
The worm also includes code to scan for open Docker API’s using masscan, then spin up docker images and install itself:
The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised:
This page lists 119 compromised systems, some of which can be identified as Kubernetes Clusters and Jenkins Build Servers.So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about 3 XMR. That equates to only about $300 USD, however this is only one of their many campaigns.The worm also deploys a number of openly available malware and offensive security tools:
The worm contains numerous references to “TeamTNT” and the domain teamtnt[.]red. The domain hosts malware, and the homepage titled “TeamTNT RedTeamPentesting” is an odd reference to public malware sandboxes:
Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems.
Below are some suggestions to help protect them:
We would like to credit the previous research on TeamTNT by Trend Micro, Malware Hunter Team and r3dbU7z.
rule TeamTNT_Worm_August_2020 {meta:
description = “Detects TeamTNT Worm”
author = “cdoman@cadosecurity.com”
date = “2020-08-16”
license = “Apache License 2.0”
hash1 = “3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f”
hash2 = “929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b”
hash3 = “705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0”
strings:
$a = “echo $LOCKFILE | base64 -d > $tmpxmrigfile” wide ascii
$b = “/root/.tmp/xmrig –config=/root/.tmp/” wide ascii
$c = “if [ -s /usr/bin/curl ]; then” wide ascii
$d = “echo ‘found: /root/.aws/credentials'” wide ascii
$e = “function KILLMININGSERVICES(){” wide ascii
$f = “hilde@teamtnt.red” wide ascii
$g = “touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null” wide ascii
$h = “rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service” wide ascii
$i = “userfile=@/root/.ssh/id_ed25519.pub” wide ascii
condition:
filesize < 100KB and 1 of them
}