banner
New malware mines Monero and steals AWS credentials
New malware mines Monero and steals AWS credentials
Crypto

New malware mines Monero and steals AWS credentials

By Alfredo de Candia - 18 Aug 2020

Chevron down

Yesterday the Cado Security team released a new report about a new malware that not only infects systems and mines Monero (XMR), but also steals AWS (Amazon Web Service) credentials.

In recent years, companies have been gradually shifting from internal IT resource management systems to external systems in order to be able to access them remotely and lower the costs of both purchasing materials and maintenance.

This has resulted in strong growth in the cloud computing industry, so the company borrows computational resources and builds its own platform on them, as if they were virtual computers.

Unfortunately, a dangerous aspect of this system is the fact that after entering the system, all the systems on the network are compromised without any intervention, since one of the solutions is to reset the various systems and hope that nothing is lost.

The research team has discovered that behind this malware lies a criminal group called TeamTNT, which has compromised several Docker and Kubernetes.

Once a device has been attacked, the criminals search for the “.aws/credentials” and “.aws/config” folder and send the files to the criminals’ server sayhi.bplace.net. When this happens, the server returns the message THX, i.e. thanks in English.

From what has been discovered, the relevant credentials are subsequently entered manually by the criminals, so this can be an advantage because by acting on time and changing them, the victim could bypass the system.

In addition, the Cado Security team has discovered that the malware also contains the code of the infamous Kinsing, which allows the Alibaba Cloud security tool to be stopped.

After stealing the credentials, the malware does not stop there but proceeds to install the XMRig mining tool.

Research has shown that at least 119 systems have already been compromised and 2 Monero addresses associated with the criminals have been discovered: 

88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQrNz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k in monero ocean.

These generate about €4 per day or 0.054 XMR per day and criminals have already cashed almost 2 XMR.

monero malware

The report concludes with some tips on how, for example, it would be wise to delete credentials folders, use a firewall that limits access to the Docker API, check traffic sent to any mining pools and check if there are connections to HTTP pages.

Alfredo de Candia
Alfredo de Candia

Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.

We use cookies to make sure you can have the best experience on our site. If you continue to use this site we will assume that you are happy with it.