Upgraded crypto-mining malware now steals AWS credentials

News
By published

TeamTNT is actively stealing AWS credentials from misconfigured Docker and Kubernetes systems

(Image credit: Shutterstock)

The crypto-mining malware used by the cybercrime group TeamTNT has been updated with new functionality that allows it to steal AWS credentials from infected servers.

The group has been operating since at least April of this year according to a report from Trend Micro, whose researchers discovered its cyptocurrency miner along with a DDoS bot used to target Docker systems while investigating an open directory containing malicious files first discovered by MalwareHunterTeam.

TeamTNT scans the internet searching for misconfigured Docker APIs that have been left exposed online without a password. When the group finds a vulnerable Docker system, it deploys servers inside the installation to launch DDoS attacks and run crypto-mining malware. 

However, TeamTNT is just one of many cybercrime gangs that employs similar tactics in order to take advantage of organizations whose systems are not properly secured online.

First cryptocurrency, now credentials

According to a new report from the UK-based security firm Cado Security, TeamTNT has expanded the scope of its malware to target Kubernetes installations while also adding a new feature that scans infected servers for any AWS credentials.

If an infected Docker or Kubernetes system runs on top of AWS infrastructure, the group scans for AWS credentials and configuration files, copies them and then uploads them to its command-and-control server. To make matters worse, both the ~/.aws/credentials and ~/.aws/config files stolen by TeamTNT are unencrypted and contain plaintext credentials and configuration details for a target's AWS account and infrastructure.

Thankfully though, the group has not yet used any of the stolen credentials according to researchers at Cabo Security who sent a collection of canary credentials to its C&C server which have yet to have been used.

Team TNT and its crypto-mining malware pose a serious threat to organizations as the group will likely be able to boost its profits significantly by either selling the stolen credentials or using them to mine additional cryptocurrency.

Via ZDNet

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all
More about security
An American flag flying outside the US Capitol building against a blue sky

The FCC is creating a security council to bolster US defenses against cyberattacks
Ransomware

Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Google Gemini Flash 2.0 Images

I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
See more latest
Most Popular
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Dell Pro 75 Plus monitor pictured against a white background.
Dell just launched a $4,000 75-inch 4K touchscreen display - but I've found one rival that's 50% cheaper
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 14 (game #1145)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 14 (game #642)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 14 (game #376)
Verizon logo on a building with blue sky above
Millions of Americans are missing out on cheap unlimited cloud storage - how to check if you are one of them
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
The Toyota FT-Me Concept sitting in a car park
Toyota's self-charging concept EV could help you tackle the daily commute on solar power alone