A Crypto-mining Botnet Is Now Stealing Docker And AWS Credentials

Analysts from security firm Trend Micro said in a report today that they've spotted a malware botnet that collects and steals Docker and AWS credentials.

Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms.

Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.

Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company's other IT systems to infect even more servers and deploy more crypto-miners.

At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials.

TeamTNT gets more refined

But in a report today, Trend Micro researchers said that the TeamTNT gang's malware code had received considerable updates since it was first spotted last summer.

"Compared to past similar attacks, the development technique was much more refined for this script," said Alfredo Oliveira, a senior security researcher at Trend Micro.

"There were no more endless lines of code, and the samples were well-written and organized by function with descriptive names."

Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.

This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.

Oliveira points out that with the addition of this feature, "implementing [Docker] API authentication is not enough" and that companies should make sure Docker management APIs aren't exposed online in the first place, even when using strong passwords.

But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy firewalls to limit who can access the port using allow-lists.