Analysts from security firm Trend Micro said in a report today that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials.
Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms.
Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.
Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company’s other IT systems to infect even more servers and deploy more crypto-miners.
At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials.
TeamTNT gets more refined
But in a report today, Trend Micro researchers said that the TeamTNT gang’s malware code had received considerable updates since it was first spotted last summer.
“Compared to past similar attacks, the development technique was much more refined for this script,” said Alfredo Oliveira, a senior security researcher at Trend Micro.Source…