PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

MITRE Techniques

• [T1059.004 ] Unix Shell – bootstrap.sh runs as a shell script to set up the environment, download payloads, and launch the worm (‘The infection begins with bootstrap.sh, a shell script designed for Linux systems.’)
• [T1105 ] Ingress Tool Transfer – downloads additional payloads and modules from attacker-controlled infrastructure (‘Download six Python modules from the attacker’s S3 URL’ and ‘downloads bootstrap.sh from the C2 payload host’)
• [T1543.003 ] Create or Modify System Process: Windows Service / systemd Service – persistence is created via sys-monitor.service / spm-worker.service (‘If run as root: create sys-monitor.service’ and ‘Persistence set by monitor.py’)
• [T1053.003 ] Scheduled Task/Job: Cron – uses crontabs and Redis cron rewrite to relaunch the malware (‘create two crontabs’ and ‘performs a Redis cron rewrite, resulting in a cron job’)
• [T1027 ] Obfuscated Files or Information – sensitive strings are hex-encoded and XOR-decrypted to hide infrastructure and constants (‘Sensitive strings are stored in the source code as a hex-encoded blob’)
• [T1552.001 ] Unsecured Credentials: Credentials In Files – steals secrets from .env, config files, SSH files, and other local stores (‘steals: .env files and config files’ and ‘SSH private keys’)
• [T1003 ] OS Credential Dumping – harvests credentials and tokens from multiple local and cloud sources (‘Environment variables filtered for secrets’ and ‘AWS IMDS credentials’)
• [T1041 ] Exfiltration Over C2 Channel – sends encrypted stolen data to Telegram channels (‘exfiltrated the encrypted data before it is sent to the attacker’s Telegram channel’)
• [T1090.001 ] Proxy: Internal Proxy – uses Telegram as a command channel for posting data and receiving commands (‘posts data to one channel and checks another to receive commands’)
• [T1021.004 ] Remote Services: SSH – laterally moves by trying SSH keys and spraying SSH targets (‘These combinations are tried against any hosts running SSH’)
• [T1021.005 ] Remote Services: VNC? – not mentioned
• [T1219 ] Remote Access Software – uses Sliver beacons for command-and-control (‘pulls the matching Sliver binary’)
• [T1046 ] Network Service Scanning – scans for exposed Docker, Kubernetes, MongoDB, RayML, and Redis services (‘cloud_scan.py … scans external cloud services’)
• [T1069.003 ] Permission Groups Discovery: Cloud Groups – enumerates Kubernetes namespaces and pods via the API (‘use the service account to authenticate with the Kubernetes management API to enumerate namespaces and pods’)
• [T1611 ] Escape to Host – attempts container escape by mounting the host filesystem (‘attempts a container escape by mounting the host filesystem to a new container’)
• [T1496 ] Resource Hijacking – not used; no cryptominers were deployed (‘neither of the two toolsets … performed any cryptocurrency mining’)
• [T1087.004 ] Account Discovery: Cloud Account – queries IMDS and cloud secrets during harvesting (‘AWS Instance Metadata Service’ and cloud credential collection)
• [T1119 ] Automated Collection – scans directories and git history for secrets and harvested credentials (‘searches … for config or secret files’ and ‘searches through git history for deleted secrets’)