Researchers have spotted a modular cloud worm that will clear you of any infections by the dangerous supply chain attacker “TeamPCP,” free of charge. The catch: It wants your secrets.
SentinelLabs named the program “PCPJack” in a new blog post, and described it as “well developed” — effective, with a few inexplicable but superficial oddities. Affected organizations stand to lose secrets associated with their cloud, container, developer, productivity, and financial services, unless they implement cloud security best practices, concealing passwords and keys behind vaults and multifactor checks.
What to Know About PCPJack
In many ways, PCPJack reflects the malware it’s built to root out: It scans for open and exploitable cloud services, performs broad sweeps for valuable credentials, then rinses and repeats.
Initial entry is managed by a module called “bootstrap.” Besides establishing persistence and downloading the malware’s other Python modules, it spares no time in searching for and rooting out any processes belonging to TeamPCP.
The main orchestrator script, “monitor,” runs next and begins collecting system metrics, similar to a benign system monitoring utility. Though this data is of use to the attacker, researchers believe the primary purpose of this scan is to disguise the malware from onlookers. The module then starts stealing local configuration and environment files, and a variety of cloud, container, and cryptocurrency wallets, tokens, and keys. The mass of secrets stolen by monitor.py then passes to a module called “utils,” which sorts through and categorizes it.
Besides those cloud services already named, PCPJack targets email services — Gmail, Microsoft Outlook, Mailchimp — and other popular, miscellaneous cloud applications — AWS, GitHub, Slack, WordPress — as well as the most widely known names in crypto: currencies like Bitcoin and Ethereum, exchanges like Coinbase and Binance, fintech services like Stripe.
As SentinelLabs notes, organizations that conceal their secrets in vaults, require multifactor authentication (MFA) for service accounts, and generally implement good cloud security hygiene can save themselves from the worst of what PCPJack and TeamPCP can do.
PCPJack’s Best, and Missing, Features
PCPJack moves laterally both inside of a network and to other targets. It hacks into exposed cloud services to steal secrets, and steals secrets to hack into more cloud services.
The script which handles lateral movement inside of a network, “lat,” uses newly stolen secrets to gain access to Kubernetes environments, Docker containers, Redis, remote machines via SSH, and the list goes on.
The external propagation logic is more novel. The malware’s orchestrator module downloads parquet files from Common Crawl, a nonprofit service popular in data analytics and artificial intelligence (AI) development, which crawls and collects data from the open Web. The malware then scans through this open source (OSS) data for potential targets, and a module called “csc” does the grunt work of exploiting known vulnerabilities to get in. PCPJack also keeps track of which hosts it has already scanned, and prevents multiple instances of itself from scanning the same hosts.
“PCPJack’s most novel feature is the use of parquet files for finding new targets,” says Alex Delamotte, senior threat researcher at SentinelLabs. “The toolset uses Common Crawl’s parquet files for less noisy, pre-validated target discovery. Unlike aimless scanning, it filters for hosts with valid HTTP responses and allows operators to customize targeting by overriding the parquet index for targeted attacks. To my knowledge, no other tools have used parquet files like this.”
Unexpectedly, PCPJack contains no cryptomining functionality. In the niche of cloud cybercrime, SentinelLabs wrote, nearly everyone deploys XMRig, or something equivalent, to suck targets of their lucrative computing power. For Delamotte, “The absence of cryptomining suggests the actor prioritizes quick payoffs through stealing credentials and wallets over long-term resource exploitation. While credential and wallet theft require development upfront to automate validation, they provide faster returns than mining, which carries higher detection and eviction risks.”
Hackers vs. Hackers
Threat actors have long built mechanisms into their malware designed to delete other malware infections on targeted systems, or at least “close the door behind them” once their malware is inside. Some kinds of malware — like botnets, and cryptominers — demand significant computing resources, which competing programs can eat away at. Cybercriminals might also not want to share in their good fortunes, or raise the risk of attention from security teams if another program on the same system is being too loud.
PCPJack is different: it doesn’t target all other malware more broadly, it targets TeamPCP’s tooling specifically. TeamPCP is a high-profile, fast-growing threat group, but it’s hardly the Morris worm — even a tool targeting similar services like PCPJack does is unlikely to run into it in the wild very often. This initially led SentinelLabs researchers to wonder if PCPJack was actually deployed by a researcher trying to fight TeamPCP infections. The malware’s other payloads quickly dispelled them of that guess.
SentinelLabs now speculates that PCPJack might have been created by somebody formerly involved with TeamPCP, who’s intimately familiar with its tactics, techniques, and procedures (TTPs). Rivalries aren’t rare among cybercriminals, and this theory does square with notable yet inconclusive details of both groups’ timelines. On April 19, just before its X account got suspended, TeamPCP made a post that alluded to threat actor “identity theft”:
Source: SentinelLabs
According to Delamotte, evidence from the attacker’s infrastructure suggests that the PCPJack campaign began the week of April 20.
