A new hacking group has been rampaging the Internet in a persistent campaign that spreads a self-propagating and never-before-seen backdoor—and curiously a data wiper that targets Iranian machines.
The group, tracked under the name TeamPCP, first gained visibility in December, when researchers from security firm Flare observed it unleashing a worm that targeted cloud-hosted platforms that weren’t properly secured. The objective was to build a distributed proxy and scanning infrastructure and then use it to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency. The group is notable for its skill in large-scale automation and integration of well-known attack techniques.
Relentless and constantly evolving
More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator.
Over the weekend, researchers said they observed TeamPCP spreading potent malware that was also worm-enabled, meaning it had the potential to spread to new machines automatically, with no interaction required of victims behind the keyboard. After infecting a machine, the malware scours them for access tokens to the npm repository and compromises any publishable packages available by creating a new version laced with the malicious code. Aikido observed the worm targeting 28 packages in less than 60 seconds.
Initially, an attacker had to manually spread the worm across every package a compromised npm token had access to. Later versions pushed over the weekend removed this requirement, giving it ever more reach.
The worm was controlled by an uncommon mechanism that was designed to be tamper proof. It used an Internet Computer Protocol-based canister, a form of self-enforcing smart contract designed to be impossible for third parties to take down or alter. The canister could point to ever-changing URLs for servers hosting malicious binaries. By giving the attackers a way for the worm to find control servers, the attackers can constantly swap out URLs at any time. Infected machines reported to the canister once every 50 minutes.
In an email, Aikido researcher Charlie Eriksen said the canister was taken down Sunday night and is no longer available.
“It wasn’t as reliable/untouchable as they expected,” Eriksen wrote. “But for a while, it would have wiped systems if infected.”
Like previous TeamPCP malware, CanisterWorm, as Aikido has named the malware, targets organizations’ CI/CD pipelines used for rapid development and deployment of software.
“Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector, Eriksen wrote. “Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats.”
As the weekend progressed, CanisterWorm was updated to add an additional payload: a wiper that targets machines exclusively in Iran. When the updated worm infects machines, it checks if the machine is in the Iranian timezone or is configured for use in that country. When either condition was met, the malware no longer activated the credential stealer and instead triggered a novel wiper that TeamPCP developers named Kamikaze. Eriksen said in an email that there’s no indication yet that the worm caused actual damage to Iranian machines, but that there was “clear potential for large-scale impact if it achieves active spread.”
Eriksen said Kamikaze’s “decision tree is simple and brutal.”
- Kubernetes + Iran: Deploy a DaemonSet that wipes every node in the cluster
- Kubernetes + elsewhere: Deploy a DaemonSet that installs the CanisterWorm backdoor on every node
- No Kubernetes + Iran:
rm -rf / --no-preserve-root - No Kubernetes + elsewhere: Exit. Nothing happens.
TeamPCP’s targeting of a country that the US is currently at war with is a curious choice. Up to now the group’s motivation has been financial gain. With no clear connection to monetary profit, the wiper seems out of character for TeamPCP. Eriksen said Aikido still doesn’t know the motive. He wrote:
While there may be an ideological component, it could just as easily be a deliberate attempt to draw attention to the group. Historically, TeamPCP has appeared to be financially motivated, but there are signs that visibility is becoming a goal in itself. By going after security tools and open-source projects, including Checkmarx as of today, they are sending a clear and deliberate signal.
The hack that keeps on giving
Last week’s supply-chain compromise of Trivy was made possible by a previous compromise of Aqua Security in late February. Although the company’s incident response was intended to replace all compromised credentials, the rotation was incomplete, allowing TeamPCP to take control of the GitHub account for distributing the vulnerability scanner. Aqua Security said it was performing a more thorough credential purge in response.
Over the weekend, the hacking group managed to compromise Aqua Security’s Docker Hub account and publish two malicious updates for the scanner. TeamPCP also compromised a second GitHub account belonging to Aqua Security and defaced, renamed, and published 44 internal repositories, including source code for Tracee, internal Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases. It would appear that the company’s subsequent attempts last week to fully rotate credentials was also unsuccessful.
“The CanisterWorm campaign appears to be a direct extension of the initial Trivy compromise rather than a separate operation,” researchers from security firm Socket wrote in an email. “This is also consistent with the attacker’s continued access following the initial breach, including the ability to publish malicious Trivy images (v0.69.5 and v0.69.6) to Docker Hub and expose internal Aqua repositories, suggesting incomplete containment and ongoing control over release infrastructure.”
With the ability to worm its way through sensitive developer pipelines and machines, CanisterWorm represents a serious escalation of the TeamPCP’s campaign to steal as many credentials as possible. Development organizations should realize that they may have been affected without knowing it. Both Aikido and Socket have published indicators that these organizations can use to determine if they have been targeted or compromised.
