Picture: Moritz Kindler
AT&T Alien Labs safety researchers have found that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities.
TeamTNT is usually recognized for concentrating on and compromising Web-exposed Docker situations for unauthorized Monero (XMR) mining.
Nevertheless, the group has additionally shifted ways by updating its Linux cryptojacking malware named Black-T to additionally harvest consumer credentials from contaminated servers.
TeamTNT now additional upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux gadgets.
Hiding in plain sight
“The group is utilizing a brand new detection evasion software, copied from open supply repositories,” AT&T Alien Labs security researcher Ofer Caspi says in a report printed right now.
“The target of the brand new software is to cover the malicious course of from course of data packages comparable to `ps` and `lsof`, successfully appearing as a protection evasion method,” Caspi added.
The detection evasion software is deployed on contaminated methods as a base64 encoded bash script embedded inside the TeamTNT ircbot or cryptominer binary.
As soon as the script will get launched on a compromised machine, it can execute a collection of duties that may permit it to:
- Modify the community DNS configuration.
- Set persistence by way of systemd.
- Drop and activate the brand new software as service.
- Obtain the newest IRC bot configuration.
- Clear proof of actions to complicate potential defender actions.
After going by way of all of the steps, the Black-T malware may even mechanically erase all malicious exercise traces by deleting the system’s bash historical past.
“Via the usage of libprocesshider, TeamTNT as soon as once more expands their capabilities based mostly on the obtainable open supply instruments,” Caspi concluded.
“Whereas the brand new performance of libprocesshider is to evade detection and different fundamental capabilities, it acts as an indicator to think about when looking for malicious exercise on the host degree.”
After the malware infects a misconfigured server, it can deploy itself in new containers and drop a malicious payload binary that begins mining for Monero (XMR) cryptocurrency.
In August, Cado Safety noticed TeamTNT worm’s new AWS credentials harvesting feature, making it the primary cryptojacking botnet with this functionality.
One month later, the malware was noticed by Intezer whereas deploying the legitimate Weave Scope open-source tool to take management of victims’ Docker, Kubernetes, Distributed Cloud Working System (DC/OS), or AWS Elastic Compute Cloud (ECS) cloud infrastructure.