Cloud Incident Response Blog | Cado Security

Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials

Written by Chris Doman | Aug 16, 2020 6:20:29 PM

Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems.

These attacks are indicative of a wider trend. As organisations migrate their computing resources to cloud and container environments, we are seeing attackers following them there.


Figure 1: The message the TeamTNT worm prints to the screen when first run.

AWS Credential Theft

The AWS CLI stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.

The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS .credentials and .config files to the attackers server, sayhi.bplace[.]net:


Figure 2: Code to steal AWS credentials from compromised systems.

Curl is used to send the AWS credentials to TeamTNT’s server, which responds with the message “THX”:


Figure 3: The network traffic generated by stolen AWS credentials.

We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet. This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.

Proliferation

Most crypto-mining worms are an amalgamation of previous worms as authors copy and paste their competitors code. TeamTNT’s worm contains code copied from another worm named Kinsing, which is designed to stop the Alibaba Cloud Security tools:


Figure 4: Repurposed code to stop the Alibaba Cloud Security tools.

In turn, it is likely we will see other worms start to copy the ability to steal AWS Credentials files too.

Docker

The worm also includes code to scan for open Docker API’s using masscan, then spin up docker images and install itself:


Figure 5: Code to scan for open Docker APIs, then install the worm in a new container.

Post Exploitation

The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised:


Figure 6: The statistics for the Monero wallet (below) on the Monero Ocean mining pool.

This page lists 119 compromised systems, some of which can be identified as Kubernetes Clusters and Jenkins Build Servers.So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about 3 XMR. That equates to only about $300 USD, however this is only one of their many campaigns.The worm also deploys a number of openly available malware and offensive security tools:

  • punk.py – A SSH post-exploitation tool
  • A log cleaning tool
  • Diamorphine Rootkit
  • Tsunami IRC Backdoor

TeamTNT

The worm contains numerous references to “TeamTNT” and the domain teamtnt[.]red. The domain hosts malware, and the homepage titled “TeamTNT RedTeamPentesting” is an odd reference to public malware sandboxes:


Figure 7: The home page for teamtnt[.]red.

Conclusion

Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems.

Below are some suggestions to help protect them:

  • Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s common to find development credentials have accidentally been left on production systems.
  • Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.
  • Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
  • Review any connections sending the AWS Credentials file over HTTP.

Previous Work

We would like to credit the previous research on TeamTNT by Trend Micro, Malware Hunter Team and r3dbU7z.

rule TeamTNT_Worm_August_2020 {

meta:

description = “Detects TeamTNT Worm”

author = “cdoman@cadosecurity.com”

date = “2020-08-16”

license = “Apache License 2.0”

hash1 = “3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f”

hash2 = “929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b”

hash3 = “705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0”

strings:

$a = “echo $LOCKFILE | base64 -d > $tmpxmrigfile” wide ascii

$b = “/root/.tmp/xmrig –config=/root/.tmp/” wide ascii

$c = “if [ -s /usr/bin/curl ]; then” wide ascii

$d = “echo ‘found: /root/.aws/credentials'” wide ascii

$e = “function KILLMININGSERVICES(){” wide ascii

$f = “hilde@teamtnt.red” wide ascii

$g = “touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null” wide ascii

$h = “rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service” wide ascii

$i = “userfile=@/root/.ssh/id_ed25519.pub” wide ascii

condition:

filesize < 100KB and 1 of them

}

Monero Wallets

  • 88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQrNz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k
  • 85X7JcgPpwQdZXaK2TKJb8baQAXc3zBsnW7JuY7MLi9VYSamf4bFwa7SEAK9Hgp2P53npV19w1zuaK5bft5m2NN71CmNLoh

Domain Names

  • 6z5yegpuwg2j4len.tor2web[.]su
  • dockerupdate.anondns[.]net
  • teamtntisback.anondns[.]net
  • sayhi.bplaced[.]net
  • teamtnt[.]red
  • healthymiami[.]com (Compromised)
  • rhuancarlos.inforgeneses.inf[.]br (Compromised)

IP Addresses

  • 129.211.98[.]236
  • 85.214.149[.]236
  • 203.195.214[.]104

File-Hashes

  • 3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f
  • 929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b
  • 705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0