TeamTNT Botnet Steals AWS Credentials From Compromised Servers

The frequent targeting of cloud and container environments are indicative of a vast attack surface for cybercriminals. Recently, Cado Security researchers have found a first-ever crypto-mining worm dubbed ‘TeamTNT’ containing Amazon Web Services (AWS) specific functionality.

What happened?

Active since April 2020, TeamTNT has updated its mode of operation in mid-August.
  • TeamTNT has added a new data-stealing feature that enables the attackers to scan and steal AWS credentials. It is the first botnet malware that is known to scan and steal AWS credentials.
  • The worm also steals local credentials and scans the internet for misconfigured Docker systems. 
  • So far, attackers have compromised many Docker and Kubernetes systems along with Kubernetes clusters and Jenkins build servers.

Post exploitation

Besides acting as a botnet and a worm, TeamTNT uses the XMRig miner to mine Monero cryptocurrency. 
  • The worm also deploys several openly available malware and offensive security tools including punk.py, Diamorphine Rootkit, Tsunami IRC backdoor, and a log cleaning tool.
  • Two different Monero wallets associated with these latest attacks have earned TeamTNT about 3 XMR (approx $300).

The similitude

As per researchers, TeamTNT's malware suite is an amalgamation of another worm named Kinsing as malware authors copy and paste their competitors’ code. The Kinsing worm was designed to bypass Alibaba Cloud security tools. In early April 2020, a bitcoin-mining campaign used the Kinsing malware to scan for misconfigured Docker APIs, then spin up Docker images and install itself.

Bottom line 

MalwareHunterTeam has flagged the latest set of campaigns as a unique development. It is likely that other worms will start to copy the ability to steal AWS credentials. To thwart such attacks, organizations should consider reviewing their security configurations to protect AWS deployments from getting hijacked. Moreover, monitoring network traffic and using firewall rules to limit any access to Docker APIs is also recommended .