Skip to main content

Crypto-mining worm steals AWS credentials

(Image credit: Image Credit: David McBee / Pexels)

A new cryptocurrency mining malware has been spotted in the wild - and it comes with a unique set of features.

According to cybersecurity researchers from Cado Security, besides mining cryptocurrency for its operators, the malware also steals Amazon Web Services (AWS) credentials.

The hackers could use the stolen AWS credentials to break into significantly more powerful AWS EC2 instances, install miners and increase cryptocurrency earnings, or instead simply sell the logins on the black market.

According to the report, the malware is operated by cybercriminal syndicate TeamTNT. The group's modus operandi is simple: access the API and deploy servers inside a Docker install, which then run DDoS and crypto-mining malware.

Researchers believe the hackers have not yet had the chance to use information stolen during these attacks. Numerous credentials have been harvested and sent to the malware’s command and control (C&C) servers, but the information is yet to be accessed.

TNT-owned Monero wallets appear to have accumulated roughly $300 in value so far, but Cado Security is confident the true figure is much, much higher.