An AWS Virtual Machine Is Infected With Mining Malware. There Could Be Others

A monero mining script has been embedded in a public instance of an AWS virtual machine. How many others are similarly infected?

AccessTimeIconAug 21, 2020 at 1:00 p.m. UTC
Updated Sep 14, 2021 at 9:46 a.m. UTC

A cybersecurity firm has unearthed a monero mining script embedded in a public instance of an Amazon Web Service (AWS) virtual machine. Now the firm is raising the question: How many other community Amazon Machine Instances (AMIs) are infected with the same malware?

Researchers at Mitiga revealed in a blog post Friday an AWS AMI for a Windows 2008 virtual server hosted by an unverified vendor is infected with a Monero mining script. The malware would have infected any device running the AMI with the purpose of using the device’s processing power to mine the privacy coin monero in the background – a malware attack that has become all too common in crypto’s digital wild west.

“Mitiga’s security research team has identified an AWS Community AMI containing malicious code running an unidentified crypto (Monero) miner. We have concerns this may be a phenomenon, rather than an isolated occurrence,” the blog post reads.

Monero meets AMI

Businesses and other entities use Amazon Web Services to spin up what are called “EC2” instances of popular programs and services. Also known as virtual machines, these EC2s are developed by third parties and are deployed under the Amazon Machine Instance framework, and businesses leverage these services to lower the costs of compute power for their business operations. AWS users can source these services from Amazon Marketplace AMIs, which are Amazon-verified vendors, or Community AMIs, which are unverified. 

Mitiga discovered this monero script in a Community AMI for a Windows 2008 Server while conducting a security audit for a financial services company. In its analysis, Mititga concluded that the AMI was created with the sole purpose of infecting devices with the mining malware, as the script was included in the AMI’s code from day one.

Code for the monero mining script
Code for the monero mining script

Outside of the financial services company that hired Mitiga to review the AMI, the cybersecurity firm is unaware of how many other entities and devices may be infected with the malware. 

“As to how Amazon allows this to happen, well, this is the biggest question that arises from this discovery, but it's a question that should also be directed to AWS’s (sic) Comms team,” the team told CoinDesk over email.

CoinDesk reached out to Amazon Web Services to learn more about its approach to handling unverified AMI publishers but a representative declined to comment. Amazon Web Service's documentation includes the caveat that users choose to use Community AMIs "at [their] own risk" and that Amazon "can't vouch for the integrity or security of [these] AMIs."

The AWS page containing the Community AMI that is infected with the malware
The AWS page containing the Community AMI that is infected with the malware

One-off event or one of many?

Mitiga’s principal concern is that this malware could be one of several bugs worming around in unverified AMIs. The fact that Amazon does not provide transparent data regarding AWS use exacerbates this worry, the firm told CoinDesk.

“As AWS customer usage is obfuscated, we can’t know how far and wide this phenomenon stretches without AWS’s own investigation. We do however believe that the potential risk is high enough to issue a security advisory to all AWS customers using Community AMIs.”

Mitiga recommends that any entity running a community AMI should terminate it immediately and search for a replacement from a trusted vendor. At the very least, businesses that rely on AWS should painstakingly review the code before integrating unverified AMIs into their business logic. 

Mining malware could actually be the most innocuous form of infection a business may experience, the firm continued in the post. The worst-case scenario includes an AMI installing a backdoor on a business’ computer or ransomware that would encrypt the company’s files with the aim of extorting it for money to regain access.

The attack is the latest in a trend of so-called “crypto-jacking” attacks. Monero is the coin of choice among attackers thanks to its mining algorithm, which can be run easily using a computer’s CPU and GPU. When attackers infect enough computers and pool their resources, the collective hashpower is enough to merit a pretty payday.

If Mitiga’s fears are true, other AMIs may have infected user devices with monero mining scripts and gone unnoticed.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.