Researchers Discover Crypto-Mining Worm That Steals AWS Logi...

Researchers Discover Crypto-Mining Worm That Steals AWS Logins

Cado Security researchers have discovered a crypto-mining worm from a hacker group called TeamTNT. The worm is spreading across the Amazon Web Services (AWS) cloud to collect credentials.

When the malware collects the logins, it logs in to deploy the XMRig mining tool towards mining Monero cryptocurrency. According to the researchers? report, the mining campaign is relatively unsophisticated.

Likewise, the worm deploys several openly available malware and offensive security tools which include a SSH post-exploitation tool known as including, a log cleaning tool, the Diamorphine rootkit, and the Tsunami IRC backdoor.

The hackers have only been able to pocket a meager $300 in illegal profits. The report noted this as part of a wider trend, suggesting hackers and attackers fast adaptation to the increase in the number of organizations adopting cloud and container environments to handle their computer resources.

?The worm also steals local credentials and scans the internet for misconfigured Docker platforms. We have seen the attackers?compromise a number of Docker and Kubernetes systems,? said Cado Security.

Hackers have been targeting Docker and Kubernetes using such cryptomining malware. They still carry out automatic scanning to discover?publicly accessible, open Docker/Kubernetes servers and then exploit them towards the establishment of their own containers and execution of malware on the victim?s infrastructure.

The hacker group was able to recycle some of its code from another worm known as Kinsing, which was developed towards the suspension of Alibaba Cloud Security tools.

According to these recycling patterns, the researchers anticipate future crypto-mining worms to copy and paste the hackers? code towards the exploitation of AWS credentials.

The researchers? examination of the hackers? mining pool known as MoneroOcean produced a list of 119 compromised systems successfully targeted by the worm.

Five months ago, Acronis carried out a cybersecurity survey, revealing that 86 percent of IT professionals said they have concerns regarding the risks these attacks present to their organizations.


Born in Bucharest, Marius is the founder of Crypto Adventure and Co-founder of Crypto Press. Since his first contact with Bitcoin and cryptocurrencies, he never stopped believing that they are one of the most important innovations of our time, which will forever change the way business is done.