Rewterz Threat Alert – Cryptomining Worms Steals AWS Credentials

Severity

High

Analysis Summary

A previously unseen type of worm, from a team called TeamTNT, capable of stealing AWS credentials has been observed and analyzed by researchers. In addition to AWS credentials, the worm is capable of stealing local credentials and scanning for misconfigured Docker platforms. With the continued migration of major corporations to cloud platforms, this type of threat could become more and more prevalent. Credentials are stored in an unencrypted file at a specified location and additional configuration details stored at another specified location. The code used is relatively straightforward and uploads the files to a C2 server. The worm uses Curl to send these credentials to TeamTNT’s server. In a bit of humor, the server responds with “THX.” Credentials were able to be sent to the malware authors, however, they have been unseen to this point, leading researchers to believe credentials are manually assessed. In another aspect, the authors have copied code from another worm which is used to stop Alibaba Cloud Security. Because this particular worm has the credential stealing capabilities from AWS, researchers believes other worms will copy the functionality from the TeamTNT worm. The worm also deploys the XMRig mining tool for the purposes of crypto mining of Monero. Two different wallets have been observed as associated with these attacks, however, the malware has only received about US$300. Finally, the worm deploys other openly available malware such as punk.py, log cleaning tools, Diamorphine rootkit, and Tsunami IRC Backdoor.

Impact

• Credential theft
• Exposure of sensitive data  

Indicators of Compromise

IP

• 129[.]211[.]98[.]236
• 85[.]214[.]149[.]236
• 203[.]195[.]214[.]104

SHA-256

• 78037e2d2e596bd450b99551535fa9c38c4e8346ab75eb424bf9e95316424fbe
• 4f115381c17ba1dedb25d35d922feda9a723e206d811ed437b75fd8116ef461b
• 4a5d3435cd4a835056b4940e1cea9a25b1619562525bd9953a120b556b305983
• 230e2a06df2cd7574ee15cb13714d77182f28d50f83a6ed58af39f1966177769
• 07377cac8687a4cde6e29bc00314c265c7ad71a6919de91f689b58efe07770b0
• da43ed194729f82db68b1d91a17cea6afde8ae81357116c35c4c129888a836bf
• 2c24ff738b998ead33f514f0a63f95a106fa220cdb084d7402e889b037362e16
• 5bf2c350441cd15e2d7852a513f863b0b7649582deb297467a718c1c5aa33b21
• a79d4f5633dbbe98842d5073b41cc25468679c46e011373587ffdbc544d1ea12
• da43ed194729f82db68b1d91a17cea6afde8ae81357116c35c4c129888a836bf
• c55e4c67ba3cf54360a88980183767522fc05e8bf076f31399ee45efbfbd78e5
• 9f5e14ca8c877b7dff84ffbe018c461233af975654bd5b87431920dfc24568a5
• 705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0
• 68ad2df23712767361d17a55ee13a3b482bee5a07ea3f3741c057db24b36bfce
• 79a060a0efcf4a1538c58e532b984dcd927fda17ca9fd10c2ff212f9d9d76be6
• a386aced768146fecfe81cac214c51c7e575b2c0c27a29c683e3357706f651ba
• f64a828d58ac5bbdde5e982ebb0766c8969cb63b4ab642467392042f2a594295
• 616c3d5b2e1c14f53f8a6cceafe723a91ad9f61b65dd22b247788329a41bc20e
• bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd
• 15dce6f833812b119de9447db49e61f5c238c4e45b0dafbe0b6af0ab50bb329a
• b556d266b154c303bb90db005d7dd4267ed8d0e711e3fd32406c64b1fc977f9e
• 3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f
• feb0a0f5ffba9d7b7d6878a8890a6d67d3f8ef6106e4e88719a63c3351e46a06
• 0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d
• 72b1cbfbd87c6cd85b9dc1da48c852768003e7fb4f01d8f6904921474be199ad
• 1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b
• 929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b
• 2c40b76408d59f906f60db97ea36503bfc59aed22a154f5d564d8449c300594f

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.