Yesterday the Cado Security team released a new report about a new malware that not only infects systems and mines Monero (XMR), but also steals AWS (Amazon Web Service) credentials.
New blog! We saw a worm spreading over the weekend that steals AWS Credentials – the first we've seen with that capability. It also scans and exploits vulnerable Docker & Kubernetes systems https://t.co/PhDZpQL4GU pic.twitter.com/RQfQsJB2ME
— cado (@CadoSecurity) August 17, 2020
In recent years, companies have been gradually shifting from internal IT resource management systems to external systems in order to be able to access them remotely and lower the costs of both purchasing materials and maintenance.
This has resulted in strong growth in the cloud computing industry, so the company borrows computational resources and builds its own platform on them, as if they were virtual computers.
Unfortunately, a dangerous aspect of this system is the fact that after entering the system, all the systems on the network are compromised without any intervention, since one of the solutions is to reset the various systems and hope that nothing is lost.
The research team has discovered that behind this malware lies a criminal group called TeamTNT, which has compromised several Docker and Kubernetes.
Once a device has been attacked, the criminals search for the “.aws/credentials” and “.aws/config” folder and send the files to the criminals’ server sayhi.bplace.net. When this happens, the server returns the message THX, i.e. thanks in English.
From what has been discovered, the relevant credentials are subsequently entered manually by the criminals, so this can be an advantage because by acting on time and changing them, the victim could bypass the system.
In addition, the Cado Security team has discovered that the malware also contains the code of the infamous Kinsing, which allows the Alibaba Cloud security tool to be stopped.
After stealing the credentials, the malware does not stop there but proceeds to install the XMRig mining tool.
Research has shown that at least 119 systems have already been compromised and 2 Monero addresses associated with the criminals have been discovered:
88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQrNz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k in monero ocean.
These generate about €4 per day or 0.054 XMR per day and criminals have already cashed almost 2 XMR.
The report concludes with some tips on how, for example, it would be wise to delete credentials folders, use a firewall that limits access to the Docker API, check traffic sent to any mining pools and check if there are connections to HTTP pages.