New Cloud Worm 'PCPJack' Steals Secrets, Eradicates Rival Malware

Executive Summary

Researchers at SentinelLabs have identified a new, sophisticated cloud worm named PCPJack. This modular malware is designed to steal a wide variety of credentials and secrets from compromised cloud environments. Uniquely, PCPJack exhibits competitive behavior, actively seeking out and removing infections from a rival threat actor, TeamPCP, before establishing its own foothold. The worm targets an extensive list of services, including AWS, GitHub, Slack, and numerous financial and cryptocurrency platforms. Its propagation methods are equally advanced, using stolen secrets for internal lateral movement and leveraging data from Common Crawl to find new external targets. This discovery highlights the increasing complexity and competitiveness of threats targeting cloud infrastructure.

Threat Overview

PCPJack is a multi-faceted threat focused on credential theft and self-propagation in cloud environments. Its most unusual characteristic is its built-in function to eradicate traces of a competing malware family associated with the TeamPCP group. This suggests a turf war between criminal groups vying for control of compromised cloud resources. After cleaning the system of its rival, PCPJack proceeds to steal secrets, API keys, and credentials for a vast array of services. It then uses these stolen secrets for propagation, both internally and externally.

Technical Analysis

PCPJack employs several advanced TTPs for its operations:

Credential Access: The worm's primary function is to steal credentials from various sources, including environment variables, configuration files, and secrets management systems (T1552 - Unsecured Credentials). It specifically targets secrets for AWS, GitHub, Slack, Kubernetes, Docker, Redis, Gmail, Outlook, Stripe, and crypto exchanges.
Defense Evasion: By removing a rival's malware, PCPJack performs a form of indicator removal (T1070 - Indicator Removal) to eliminate competition and potentially confuse forensic analysis.
Lateral Movement: The worm uses stolen secrets to move laterally. It leverages SSH keys to access other machines, Kubernetes API credentials to move within a cluster, and Docker credentials to compromise container environments (T1021 - Remote Services).
Resource Development: For external propagation, PCPJack uses a novel technique: it downloads data from Common Crawl, a public web crawl dataset, likely to identify the IP addresses and domains of new, potentially vulnerable cloud services to attack (T1583.006 - Acquire Infrastructure: Web Services).

Impact Assessment

A PCPJack infection can be devastating for a cloud-native organization. The theft of critical secrets for services like AWS, GitHub, and Kubernetes can lead to a full-scale compromise of the entire cloud infrastructure. Attackers could steal or destroy data, deploy cryptominers, or use the compromised infrastructure to attack others. The theft of source code from GitHub or private communications from Slack could expose sensitive intellectual property. The theft of financial service and cryptocurrency credentials could lead to direct and substantial financial loss.

IOCs — Directly from Articles

No specific technical Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for PCPJack activity by looking for these patterns in their cloud environments:

Type

network_traffic_pattern

Value

Anomalous outbound traffic to commoncrawl.org

Description

A server downloading large amounts of data from Common Crawl is highly unusual and a specific indicator for this malware.

Type

log_source

Value

CloudTrail (AWS), Audit Logs (Kubernetes, GitHub)

Description

Look for a burst of secret access events, or access to secrets from an unfamiliar process or IP address.

Type

process_name

Value

Processes that scan the filesystem for files named credentials, .aws/config, or .git-credentials.

Description

This indicates a credential harvesting script is active on the system.

Type

command_line_pattern

Value

ssh, kubectl, docker commands executed by unexpected users or processes.

Description

Monitor for lateral movement attempts using stolen credentials from within a compromised host or container.

Detection & Response

Detection: Utilize Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) to detect anomalous behavior. Monitor cloud audit logs (e.g., AWS CloudTrail) for unusual patterns of secret access or API calls. D3FEND's D3-CUM - Cloud User Monitoring is essential. Set up alerts for unexpected network traffic, especially large downloads from services like Common Crawl.
Response: If PCPJack is suspected, immediately rotate all potentially compromised credentials for AWS, GitHub, Kubernetes, etc. Isolate the affected workload and perform a forensic analysis. Review audit logs to trace the attacker's actions and identify the full scope of the compromise.

Mitigation

Strategic: Adopt a zero-trust approach to secrets management. Use a dedicated secrets vault (e.g., HashiCorp Vault, AWS Secrets Manager) with strict access policies and just-in-time credential issuance. Avoid hardcoding credentials in files or environment variables (M1043 - Credential Access Protection).
Tactical: Enforce MFA on all service accounts where possible. Implement fine-grained IAM policies following the principle of least privilege (M1026 - Privileged Account Management). Use network segmentation and security groups to restrict communication between workloads. Regularly scan container images and workloads for vulnerabilities and malware.

PCPJack's novel use of Common Crawl for target discovery presents a unique detection and prevention opportunity. Organizations should implement strict Outbound Traffic Filtering for their cloud workloads. Using cloud-native firewalls and security groups, egress traffic should be denied by default. An explicit allowlist should be created for necessary external communications (e.g., to package repositories, third-party APIs). A workload making an outbound connection to commoncrawl.org is a high-confidence indicator of a PCPJack infection and should be blocked and trigger an immediate alert. This egress control not only helps detect this specific malware but also prevents a wide range of C2 communications and data exfiltration attempts.

SentinelLabs Discovers 'PCPJack' Cloud Worm Targeting AWS, GitHub, and Crypto Secrets