A new malware known as PCPJack is actively targeting cloud environments, aiming to exploit exposed services and harvest credentials on a large scale. This sophisticated threat is focusing on Docker, Kubernetes, Redis, and MongoDB deployments, exploiting misconfigurations or vulnerabilities to facilitate credential theft and potentially financial fraud.
Unique Approach: Bypassing Cryptocurrency Mining
Unlike typical cloud-targeting malware, PCPJack does not engage in cryptocurrency mining. Instead, it opts for a different profit strategy. The malware begins its operation with a shell script named bootstrap.sh, which operates on Linux-based cloud systems. This script sets the stage by installing Python, downloading necessary modules, establishing persistence, and activating the main orchestrator.
PCPJack distinguishes itself by eliminating a competing threat, TeamPCP, from infected systems, showcasing a competitive edge among cloud threats. SentinelOne researchers identified PCPJack as a tool for stealing credentials with worm-like spreading capabilities. Alex Delamotte from SentinelOne states that the malware extracts credentials from various services and transmits the data via attacker-controlled channels, all while attempting to propagate further.
Comprehensive Credential Harvesting
The malware gathers a wide array of sensitive information, including SSH keys, Slack tokens, WordPress database credentials, API keys, and cryptocurrency wallets. Using encryption techniques, PCPJack securely transmits this data to a Telegram channel. The malware also monitors and confirms the removal of TeamPCP infections, indicating a targeted and competitive intent.
PCPJack uses external cloud infrastructure scanning to spread, targeting Docker, Kubernetes, Redis, MongoDB, and RayML. By downloading common hostnames, the malware can identify new victims without hardcoding addresses, potentially covering up to 104 million entries per cycle. It exploits known vulnerabilities such as authentication bypasses and file upload flaws to infiltrate systems.
Targeting Multiple Platforms and Services
SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s server, which supports various system architectures. This backdoor ensures persistent remote access, masquerading as legitimate system files to avoid detection. Beyond cloud services, PCPJack also targets messaging and financial platforms, as well as productivity tools, indicating possible extortion or credential resale motives.
To mitigate exposure, organizations are advised to enforce multi-factor authentication, use secure metadata services, and ensure proper authentication for APIs. Adopting least-privilege principles and regularly auditing configuration files for sensitive data are also recommended.
Conclusion and Recommendations
PCPJack represents a significant threat to cloud environments, with its focus on credential theft rather than cryptocurrency mining. Security teams should prioritize protective measures to safeguard against such threats. Continuous monitoring, timely updates, and adherence to security best practices are essential to defend against this and similar malware.
