# Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials **[cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials](https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials)** Blog August 16, 2020 August 16, 2020 Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems. These attacks are indicative of a wider trend. As organisations migrate their computing resources to cloud and container environments, we are seeing attackers following them there. ----- **Figure 1: The message the TeamTNT worm prints to the screen when first run.** **AWS Credential Theft** [The AWS CLI stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) ~/.aws/config. The code to steal AWS credentials is relatively straightforward – on execution it uploads the default AWS .credentials and .config files to the attackers server, sayhi.bplace[.]net: **Figure 2: Code to steal AWS credentials from compromised systems.** Curl is used to send the AWS credentials to TeamTNT’s server, which responds with the message “THX”: ----- **Figure 3: The** network traffic generated by stolen AWS credentials. [We sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet. This indicates that](https://canarytokens.org/generate) TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning. Proliferation Most crypto-mining worms are an amalgamation of previous worms as authors copy and paste their competitors code. TeamTNT’s worm contains code copied from another worm named Kinsing, which is designed to stop the Alibaba Cloud Security tools: **Figure 4: Repurposed code to stop the Alibaba Cloud Security tools.** In turn, it is likely we will see other worms start to copy the ability to steal AWS Credentials files too. **Docker** The worm also includes code to scan for open Docker API’s using [masscan, then spin up docker images and install itself:](https://github.com/robertdavidgraham/masscan) ----- **Figure 5: Code to** scan for open Docker APIs, then install the worm in a new container. **Post Exploitation** The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised: **Figure 6: The** statistics for the Monero wallet (below) on the Monero Ocean mining pool. This page lists 119 compromised systems, some of which can be identified as Kubernetes Clusters and Jenkins Build Servers.So far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about 3 XMR. That equates to only about $300 USD, however this is only one of their many campaigns.The worm also deploys a number of openly available malware and offensive security tools: punk.py – A SSH post-exploitation tool A log cleaning tool Diamorphine Rootkit Tsunami IRC Backdoor **TeamTNT** The worm contains numerous references to “TeamTNT” and the domain teamtnt[.]red. The domain hosts malware, and the homepage titled “TeamTNT RedTeamPentesting” is an odd reference to public malware sandboxes: ----- **Figure 7: The home** page for teamtnt[.]red. **Conclusion** Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems. Below are some suggestions to help protect them: Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s common to find development credentials have accidentally been left on production systems. Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset. Review network traffic for any connections to mining pools, or using the Stratum mining protocol. Review any connections sending the AWS Credentials file over HTTP. **Previous Work** We would like to credit the previous research on TeamTNT by [Trend Micro,](https://www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports) [Malware Hunter Team and](https://twitter.com/malwrhunterteam/status/1256664761997148161) [r3dbU7z.](https://www.virustotal.com/gui/user/r3dbU7z/comments) ----- ``` meta: description = “Detects TeamTNT Worm” author = “[email protected]” date = “2020-08-16” license = “Apache License 2.0” hash1 = “3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f” hash2 = “929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b” hash3 = “705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0” strings: $a = “echo $LOCKFILE | base64 -d > $tmpxmrigfile” wide ascii $b = “/root/.tmp/xmrig –config=/root/.tmp/” wide ascii $c = “if [ -s /usr/bin/curl ]; then” wide ascii $d = “echo ‘found: /root/.aws/credentials'” wide ascii $e = “function KILLMININGSERVICES(){” wide ascii $f = “[email protected]” wide ascii $g = “touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null” wide ascii $h = “rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service” wide ascii $i = “[email protected]/root/.ssh/id_ed25519.pub” wide ascii condition: filesize < 100KB and 1 of them } ``` **Monero Wallets** 88ZrgnVZ687Wg8ipWyapjCVRWL8yFMRaBDrxtiPSwAQrNz5ZJBRozBSJrCYffurn1Qg7Jn7WpRQSAA3C8aidaeadAn4xi4k 85X7JcgPpwQdZXaK2TKJb8baQAXc3zBsnW7JuY7MLi9VYSamf4bFwa7SEAK9Hgp2P53npV19w1zuaK5bft5m2NN71CmNLoh **Domain Names** 6z5yegpuwg2j4len.tor2web[.]su dockerupdate.anondns[.]net teamtntisback.anondns[.]net sayhi.bplaced[.]net teamtnt[.]red healthymiami[.]com (Compromised) rhuancarlos.inforgeneses.inf[.]br (Compromised) **IP Addresses** 129.211.98[.]236 85.214.149[.]236 203.195.214[.]104 **File-Hashes** 3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f 929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b 705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0 About The Author ----- Chris Doman [Chris is well known for building the popular threat intelligence portal ThreatCrowd, which subsequently merged into the AlienVault](https://www.threatcrowd.org/) Open Threat Exchange, later acquired by AT&T. Chris is an industry leading threat researcher and has published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government’s cryptocurrency theft schemes, and China’s attacks [against dissident websites, have been widely discussed in the media. He has also](https://www.forbes.com/sites/daveywinder/2019/12/05/china-fires-great-cannon-cyber-weapon-at-the-hong-kong-pro-democracy-movement/#624c11297c85) [given interviews to print, radio and TV such as CNN and BBC News.](https://www.youtube.com/watch?v=z_0oV_hsc08) **About Cado Security** Cado Security provides the cloud investigation platform that empowers security teams to respond to threats at cloud speed. By automating data capture and processing across cloud and container environments, Cado Response effortlessly delivers forensiclevel detail and unprecedented context to simplify cloud investigation and response. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United Kingdom. For more information, please visit [https://www.cadosecurity.com/ or follow us on Twitter](https://www.cadosecurity.com/) [@cadosecurity.](https://twitter.com/CadoSecurity) [Prev Post](https://www.cadosecurity.com/the-your-site-has-been-hacked-scam/) [Next Post](https://www.cadosecurity.com/introducing-our-next-stage-cado-response/) -----