"Whoever is behind this bit of malware may be cleaning up who came before, but only so they can take their place. Discovered by security outfit SentinelOne's SentinelLabs researchers and dubbed PCPJack for its habit of stealing previously compromised systems from TeamPCP, the worm was first spotted in late April hiding among a Kubernetes-focused VirusTotal hunting rule. It stood out from known cloud hacktools, said SentinelLabs, because the first action it always takes is to eliminate tools associated with TeamPCP attacks."
""We initially considered that this toolset could be a researcher removing TeamPCP's infections," SentielLabs said. "Analysis of the later-stage payloads indicates otherwise." "Analyzing this script led us to discover a full framework dedicated to cloud credential harvesting and propagating onto other systems, both internal and external to the victim's environment," SentinelLabs continued. In other words, this thing will harvest credentials from everywhere it can get its hands on, and then find new, unsecured cloud environment targets to spread itself to."
"TeamPCP came onto the scene late last year, and since then has made a name for itself primarily by undertaking a successful compromise of the Trivy vulnerability scanner. That act spread credential-harvesting malware which attackers then used to pivot to more valuable targets, and became one of the most notable supply chain attacks in recent memory. Unlike TeamPCP's campaign, which relied on the spread of compromised software by human actors, this one spreads on its own accord."
"Infections start when already-infected systems look for exposed services, including Docker, Kubernetes, R The worming its way through exposed cloud instances removing all traces of TeamPCP infections, but it's not benevolent by a long shot: Whoever is behind this bit of malware may be cleaning up who came before, but only so they can take their place."
A worm dubbed PCPJack targets exposed cloud instances and removes tools associated with TeamPCP infections. It was first observed in late April within a Kubernetes-focused VirusTotal hunting rule. Initial assumptions considered the activity as cleanup by a researcher, but later payload analysis indicates a malicious framework. The framework is designed for cloud credential harvesting and propagation to other systems inside and outside the victim environment. It searches for exposed services such as Docker and Kubernetes, then spreads without human involvement. TeamPCP previously compromised the Trivy vulnerability scanner and enabled credential-harvesting malware used for supply chain pivoting, but PCPJack operates as an autonomous self-propagating threat.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]