Security researchers have discovered what appears to be the first crypto-mining malware operation that contains functionality to steal AWS credentials from infected servers.
This new data-stealing feature was spotted in the malware used by TeamTNT, a cybercrime group that targets Docker installs.
The group has been active since at least April, according to research published earlier this year by security firm Trend Micro.
Per the report, TeamTNT operates by scanning the internet for Docker systems that have been misconfigured and have left their management API exposed on the internet without a password.
But in a new report published today, UK security firm Cado Security says the TeamTNT gang has recently updated its mode of operation.
Cado researchers say that besides the original functionality, TeamTNT has now also expanded its attacks to target Kubernetes installations.