A new hacking group has been rampaging the Internet in a persistent campaign that spreads a self-propagating and never-before-seen backdoor—and curiously a data wiper that targets Iranian machines.
The group, tracked under the name TeamPCP, first gained visibility in December, when researchers from security firm Flare observed it unleashing a worm that targeted cloud-hosted platforms that weren’t properly secured. The objective was to build a distributed proxy and scanning infrastructure and then use it to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency. The group is notable for its skill in large-scale automation and integration of well-known attack techniques.
Relentless and constantly evolving
More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator.
Over the weekend, researchers said they observed TeamPCP spreading potent malware that was also worm-enabled, meaning it had the potential to spread to new machines automatically, with no interaction required of victims behind the keyboard. After infecting a machine, the malware scours them for access tokens to the npm repository and compromises any publishable packages available by creating a new version laced with the malicious code. Aikido observed the worm targeting 28 packages in less than 60 seconds.
Initially, an attacker had to manually spread the worm across every package a compromised npm token had access to. Later versions pushed over the weekend removed this requirement, giving it ever more reach.
The worm was controlled by an uncommon mechanism that was designed to be tamper proof. It used an Internet Computer Protocol-based canister, a form of self-enforcing smart contract designed to be impossible for third parties to take down or alter. The canister could point to ever-changing URLs for servers hosting malicious binaries. By giving the attackers a way for the worm to find control servers, the attackers can constantly swap out URLs at any time. Infected machines reported to the canister once every 50 minutes.
Facts Only
Actor: TeamPCP hacking group
Events: Launched a persistent campaign, compromised Trivy vulnerability scanner, spread malware through npm repository packages
Date: December (initial visibility) - Ongoing
Location: Internet
Entity: Aqua Security (Trivy creator), GitHub
Executive Summary
Full Take
In analyzing the article, it is important to consider the motivations and tactics of TeamPCP. While the article does not explicitly state the group's goals, their actions suggest a desire for control and potential financial gain through data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. The use of large-scale automation and integration of known attack techniques indicates a well-organized and skilled operation.
The supply-chain attack on the Trivy vulnerability scanner is significant as it highlights the group's ability to infiltrate trusted systems and exploit them for their own purposes. The use of a tamper-proof canister to control the worm adds another layer of complexity, making it difficult to counteract their actions.
However, it is also worth noting that the article does not provide a comprehensive understanding of TeamPCP's origins or their potential connections to other hacking groups. Further investigation would be needed to fully understand the group's motivations and long-term objectives.
Questions for further inquiry: What are the underlying reasons driving TeamPCP's actions? How does TeamPCP compare to other notable hacking groups in terms of skill, organization, and impact? What can be done to prevent similar supply-chain attacks in the future?
Sentinel — Human
This article appears likely human-written, exhibiting natural sentence length variance, coherence, and a lack of coordination indicators associated with synthetic content.