AFTER replacing TeamPCP malware, PCPJack is described as a modular cloud worm that steals secrets from multiple cloud environments, including cloud services, wallets and keys, and email and other popular cloud applications. According to SentinelLabs, PCPJack uses parquet files for target discovery and scans for open cloud services before iterating to exfiltrate credentials, tokens and configuration data.
The malware’s entry point, via a module called bootstrap, establishes persistence and then launches additional Python modules to search for targets, with the monitor script collecting system metrics to disguise its activity. PCPJack’s lateral movement capability, via a module named lat, is used to access Kubernetes environments, Docker containers and other remote hosts, and its external propagation relies on parquet-backed targeting and vulnerability exploitation.
The report notes that PCPJack does not include cryptomining functionality, suggesting faster payoffs from credential and wallet theft; researchers add that protecting secrets with vaults and MFA can mitigate the threat. SentinelLabs also notes that PCPJack campaign timings began the week of 20 April, and that there is speculation PCPJack may have been created by someone formerly involved with TeamPCP.