A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.
According to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including “punk.py,” a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.
