Level 64
Content Creator
Malware Hunter
Security researchers have discovered what appears to be the first crypto-mining malware operation that contains functionality to steal AWS credentials from infected servers.

This new data-stealing feature was spotted in the malware used by TeamTNT, a cybercrime group that targets Docker installs.

The group has been active since at least April, according to research published earlier this year by security firm Trend Micro.
Per the report, TeamTNT operates by scanning the internet for Docker systems that have been misconfigured and have left their management API exposed on the internet without a password.

But in a new report published today, UK security firm Cado Security says the TeamTNT gang has recently updated its mode of operation.
Cado researchers say that besides the original functionality, TeamTNT has now also expanded its attacks to target Kubernetes installations.


Level 14
The malware harvests AWS credentials and installs Monero cryptominers.
A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.