An AWS Virtual Machine Is Infected With Mining Malware. There Could Be Others

A monero mining script has been embedded in a public instance of an AWS virtual machine. How many others are similarly infected?

AccessTimeIconAug 21, 2020 at 1:00 p.m. UTC
Updated Sep 14, 2021 at 9:46 a.m. UTC

A cybersecurity firm has unearthed a monero mining script embedded in a public instance of an Amazon Web Service (AWS) virtual machine. Now the firm is raising the question: How many other community Amazon Machine Instances (AMIs) are infected with the same malware?

Researchers at Mitiga revealed in a blog post Friday an AWS AMI for a Windows 2008 virtual server hosted by an unverified vendor is infected with a Monero mining script. The malware would have infected any device running the AMI with the purpose of using the device’s processing power to mine the privacy coin monero in the background – a malware attack that has become all too common in crypto’s digital wild west.

“Mitiga’s security research team has identified an AWS Community AMI containing malicious code running an unidentified crypto (Monero) miner. We have concerns this may be a phenomenon, rather than an isolated occurrence,” the blog post reads.

Monero meets AMI

Businesses and other entities use Amazon Web Services to spin up what are called “EC2” instances of popular programs and services. Also known as virtual machines, these EC2s are developed by third parties and are deployed under the Amazon Machine Instance framework, and businesses leverage these services to lower the costs of compute power for their business operations. AWS users can source these services from Amazon Marketplace AMIs, which are Amazon-verified vendors, or Community AMIs, which are unverified. 

Mitiga discovered this monero script in a Community AMI for a Windows 2008 Server while conducting a security audit for a financial services company. In its analysis, Mititga concluded that the AMI was created with the sole purpose of infecting devices with the mining malware, as the script was included in the AMI’s code from day one.

CoinDesk - Unknown
Code for the monero mining script

Outside of the financial services company that hired Mitiga to review the AMI, the cybersecurity firm is unaware of how many other entities and devices may be infected with the malware. 

“As to how Amazon allows this to happen, well, this is the biggest question that arises from this discovery, but it's a question that should also be directed to AWS’s (sic) Comms team,” the team told CoinDesk over email.

CoinDesk reached out to Amazon Web Services to learn more about its approach to handling unverified AMI publishers but a representative declined to comment. Amazon Web Service's documentation includes the caveat that users choose to use Community AMIs "at [their] own risk" and that Amazon "can't vouch for the integrity or security of [these] AMIs."

CoinDesk - Unknown
The AWS page containing the Community AMI that is infected with the malware

One-off event or one of many?

Mitiga’s principal concern is that this malware could be one of several bugs worming around in unverified AMIs. The fact that Amazon does not provide transparent data regarding AWS use exacerbates this worry, the firm told CoinDesk.

“As AWS customer usage is obfuscated, we can’t know how far and wide this phenomenon stretches without AWS’s own investigation. We do however believe that the potential risk is high enough to issue a security advisory to all AWS customers using Community AMIs.”

Mitiga recommends that any entity running a community AMI should terminate it immediately and search for a replacement from a trusted vendor. At the very least, businesses that rely on AWS should painstakingly review the code before integrating unverified AMIs into their business logic. 

Mining malware could actually be the most innocuous form of infection a business may experience, the firm continued in the post. The worst-case scenario includes an AMI installing a backdoor on a business’ computer or ransomware that would encrypt the company’s files with the aim of extorting it for money to regain access.

The attack is the latest in a trend of so-called “crypto-jacking” attacks. Monero is the coin of choice among attackers thanks to its mining algorithm, which can be run easily using a computer’s CPU and GPU. When attackers infect enough computers and pool their resources, the collective hashpower is enough to merit a pretty payday.

If Mitiga’s fears are true, other AMIs may have infected user devices with monero mining scripts and gone unnoticed.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.