This new data theft feature was detected in crypto-mining malware introduced in TeamTNT, a malicious hacking group that targets Docker facilities.
The group has been active since at least April, according to a report released by the company security Trend Micro.
The team then gains access to the API and deploys servers within the Docker installation they are running DDoS and crypto-mining malware. Hackers' tactics are not unique. Many other hacking groups use these methods.
However, in a new report published on 17 August, the UK security company, Cado Security, reports that the TeamTNT gang had upgraded its mode of operation.
Security researchers say that in addition to their core business, hackers of TeamTNT have begun launching attacks, targeting installations Kubernetes.
Η TeamTNT steals now AWS credentials
In addition to attacks on new targets, Cado researchers say TeamTNT crypto-mining malware has a new feature that scans underlying infected servers to find and steal Amazon Web Services (AWS) credentials.
If the infected Docker and Kubernetes systems run on AWS infrastructure, h gang TeamTNT scans for ~ / .aws / credentials and ~ / .aws / config and copies and uploads both files to its command-and-control server.
Both of these files are not encrypted and contain credentials and configuration details for the underlying AWS account (and infrastructure) in plain text.
Security investigators believe the attackers have not yet used the stolen AWS credentials. They said they sent canary credentials to TeamTNT's C&C server, but none of them accounts had not opened before August 17, when they published their inquiry.
Nevertheless, TeamTNT is expected to significantly increase its profits, either by installing crypto-mining malware on stronger AWS EC2 clusters or selling stolen credentials on the black market. At this time, Cado does not have a complete picture of TeamTNT's new crypto-mining business, as the company security was only able to track some of the Monero wallets used by the team to collect cryptocurrencies.