TeamTNT botnet now steals Docker API and AWS credentials

Researchers from Trend Micro discovered that the TeamTNT botnet is now able to steal Docker API logins along with AWS credentials.

Researchers from Trend Micro discovered that the TeamTNT botnet was improved and is now able to steal also Docker credentials.

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.

Upon infecting Docker and Kubernetes systems running on top of AWS servers, the bot scans for ~/.aws/credentials and ~/.aws/config that are the paths were the AWS CLI stores credentials and configuration details in an unencrypted file.

The malware deploys the XMRig mining tool to mine Monero cryptocurrency.

The attribution of the recent infections to the TeamTNT is based on its Command and Control URLs, some strings, crypto keys, and the language used on the samples analyzed by Trend Micro.

Compared to past similar attacks, the new samples have been significantly improved.

“The malicious shell script used here was developed in Bash. Compared to past similar attacks, the development technique was much more refined for this script; there were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.” states the report.

The new variant of the bot is also able to collect Docker API credentials using a routine that only checks for credential files on the machine and then exfiltrate them. The new sample includes two new routines.

“The first one requests the AWS metadata service and tries to get the credentials from there. The other one checks the environment variables for AWS credentials; if these are present, they are uploaded to the C&C server.” continues the report.

The new attacks have only been seen targeting container platforms. Experts noticed that the container image that holds all the malicious samples was created recently, the total number of downloads is 2,000. 

“The tactics have now evolved exponentially. The malicious scripts are being developed to steal more sensitive data such as credentials. They are now also equipped with other functions, like preparing the environment to make sure it would have resources enough to mine, being stealthy enough to keep mining for as long as possible, and also making sure to leave backdoors in case they need to remotely connect to their targets.” concludes the report.

“Since the attacks are now also looking for Docker credentials, implementing API authentication is not enough. System admins should also make sure that the API is not exposed publicly, and can only be accessed by those who need to.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TeamTNT botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]