Picture: Moritz Kindler
AT&T Alien Labs safety researchers have found that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities.
TeamTNT is generally recognized for concentrating on and compromising Web-exposed Docker cases for unauthorized Monero (XMR) mining.
Nevertheless, the group has additionally shifted techniques by updating its Linux cryptojacking malware named Black-T to additionally harvest person credentials from contaminated servers.
TeamTNT now additional upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux units.
Hiding in plain sight
“The group is utilizing a brand new detection evasion instrument, copied from open supply repositories,” AT&T Alien Labs security researcher Ofer Caspi says in a report revealed right now.
“The target of the brand new instrument is to cover the malicious course of from course of data applications equivalent to `ps` and `lsof`, successfully performing as a protection evasion method,” Caspi added.
The detection evasion instrument is deployed on contaminated methods as a base64 encoded bash script embedded throughout the TeamTNT ircbot or cryptominer binary.
As soon as the script will get launched on a compromised machine, it can execute a sequence of duties that can permit it to:
- Modify the community DNS configuration.
- Set persistence via systemd.
- Drop and activate the brand new instrument as service.
- Obtain the newest IRC bot configuration.
- Clear proof of actions to complicate potential defender actions.
After going via all of the steps, the Black-T malware will even robotically erase all malicious exercise traces by deleting the system’s bash historical past.
“By using libprocesshider, TeamTNT as soon as once more expands their capabilities based mostly on the accessible open supply instruments,” Caspi concluded.
“Whereas the brand new performance of libprocesshider is to evade detection and different fundamental capabilities, it acts as an indicator to think about when trying to find malicious exercise on the host stage.”
After the malware infects a misconfigured server, it can deploy itself in new containers and drop a malicious payload binary that begins mining for Monero (XMR) cryptocurrency.
In August, Cado Safety noticed TeamTNT worm’s new AWS credentials harvesting feature, making it the primary cryptojacking botnet with this functionality.
One month later, the malware was noticed by Intezer whereas deploying the legitimate Weave Scope open-source tool to take management of victims’ Docker, Kubernetes, Distributed Cloud Working System (DC/OS), or AWS Elastic Compute Cloud (ECS) cloud infrastructure.