AWS Malware Harvests Credentials and Installs Cryptominers

Walden Systems Geeks Corner News AWS Malware Harvests Credentials and Installs Cryptominers Rutherford NJ New Jersey NYV New York City North Bergen County
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

Another cryptomining worm has plagued Amazon Web Services (AWS) cloud infrastructure. Security experts have warned that the worm from a group called TeamTNT has a number of nefarius side effects. Primary focus is mining cryptocurrencies on hosts that it takes over, but it also includes stealing server and user credentials to exploit them further. The worm used a number of known malware and security decryption schemes such as punk.py, log-cleaning and Diamorphine rootkit.

Cyber security experts are urging businesses that use AWS to identify the storage units and AWS credential files that were not explicitly created by them. These files must be removed, additionally network traffic should be closely analysed and the owners of AWS accounts are asked to continuously monitor their cloud servers. Users are urged to look for connections to mining pools and credentials being moved around over HTTP should be flagged and reported to AWS. Additional ways to protect yourself is to use firewall rules to limit access to server APIs on AWS.


The worm has been scanning the platform for misconfigured servers and unsecured backdoors. Misconfigurations and backdoors are used to infiltrate the servers to steal cloud credentials. Usually this type of malware is engaged in cryptomining, but a fresh backdoor type of malware has been employed from denial-of-service to sabotage to ransomware. The attacks begin with the way AWS stores credentials files which are not encrypted. Therefore the code to steal credentials does not need to be complicated as credential files are easily opened. Once credentials files have been uploaded to TeamTNT, new server images can be installed and old ones compromised.

Group TeamTNT has been vocal in taking credit for these scams. They have been using the domain teamtnt.red, to host other malware and have a homepage entitled ‘TeamTNT RedTeamPentesting’. Upon examination, security experts counted 119 compromised servers across AWS. The amount of cryptocurrencies mined by TeamTNT have been small but the number of stolen user data and infected servers by malware continues to grow.

Businesses are moving at faster rates to embrace cloud and remote computing because of the Covid-19 pandemic. These events have opened up new types of attacks for cybercriminals from home computers and devices to cloud infrastructure incursions. These attacks are not new, but the threats have increased as the number of possible targets have increased. The scams to exploit cloud infrastructure and online servers using automated scans have continued to keep security experts fighting unusually high rates of attacks.