A mysterious framework worm has been discovered taking control of compromised systems by removing TeamPCP infections, with its true intentions still unclear. This development underscores the ongoing threat landscape in cloud security.
Recently, a mysterious framework worm was discovered by security outfit SentinelOne's SentinelLabs researchers, which has been wreaking havoc on exposed cloud instances and removing all traces of TeamPCP infections. The worm, dubbed PCPJack for its habit of stealing previously compromised systems from TeamPCP, is not a benevolent force in the cybercrime world.
The first indication of the worm's presence was found in late April, when it was spotted hiding among a Kubernetes-focused VirusTotal hunting rule. However, what initially led researchers to believe that this toolset could be a researcher removing TeamPCP's infections, further analysis revealed otherwise.
According to SentinelLabs, "Analysis of the later-stage payloads indicates otherwise." Further investigation into the script revealed a full framework dedicated to cloud credential harvesting and propagating onto other systems, both internal and external to the victim's environment. In essence, this worm is designed to harvest credentials from any system it can get its hands on and then spread itself to new, unsecured cloud environment targets.
TeamPCP, which emerged late last year, gained notoriety for successfully compromising the Trivy vulnerability scanner. This led to a wave of credential-harvesting malware that attackers used to pivot to more valuable targets, marking one of the most notable supply chain attacks in recent memory.
Different from TeamPCP's campaign, which relied on human actors spreading compromised software, this worm spreads on its own accord. Infections begin when already-infected systems look for exposed services, including Docker, Kubernetes, Redis, MongoDB, and RayML, as well as exposed web applications. Once it finds a vulnerable environment, the worm runs a shell script that sets up an environment to download additional payloads and searches for TeamPCP processes and artifacts to kill.
This part of the infection downloads the worm itself, along with modules to enable lateral movement, parse credentials, encrypt them for exfiltration, and scan the web for new environments to infect. The worm then proceeds to use its second module to conduct the actual credential thefts, targeting environment variables, config files, SSH keys, Docker secrets, Kubernetes tokens, and credentials from a long list of finance, enterprise, messaging, and cloud service targets.
SentinelLabs noted that the lack of a cryptominer in the malware package is unusual, suggesting its goal may be either to conduct spam campaigns and financial fraud with the stolen data or make it available to those planning similar crimes. Furthermore, the worm's practice of removing TeamPCP files could be opportunistic or imply drama within the cybercrime world.
"We have no evidence to suggest whether this toolset represents someone associated with the group or familiar with their activities," SentinelLabs stated. "However, the first toolset’s focus on disabling and replacing TeamPCP’s services implies a direct focus on the threat actor's activities rather than pure cloud attack opportunism."
Given that this worm relies on unsecured cloud and web app instances ripe for targeting, mitigation recommendations are straightforward: Keep your cloud platforms secure, and ensure authentication is required even for instances of things like Docker and Kubernetes that aren't exposed to the internet.