Skip to main content

Crypto-mining worm steals AWS credentials

(Image credit: Image Credit: David McBee / Pexels)

A new cryptocurrency mining malware (opens in new tab) has been spotted in the wild - and it comes with a unique set of features.

According to cybersecurity researchers from Cado Security, besides mining cryptocurrency for its operators, the malware also steals Amazon Web Services (AWS) credentials.

The hackers could use the stolen AWS credentials to break into significantly more powerful AWS EC2 instances, install miners and increase cryptocurrency earnings, or instead simply sell the logins on the black market.

According to the report, the malware is operated by cybercriminal syndicate TeamTNT. The group's modus operandi is simple: access the API and deploy servers inside a Docker install, which then run DDoS and crypto-mining malware.

Researchers believe the hackers have not yet had the chance to use information stolen during these attacks. Numerous credentials have been harvested and sent to the malware’s command and control (C&C) servers, but the information is yet to be accessed.

TNT-owned Monero wallets appear to have accumulated roughly $300 in value so far, but Cado Security is confident the true figure is much, much higher. 

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.