Image: Moritz Kindler
AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities.
TeamTNT is mostly known for targeting and compromising Internet-exposed Docker instances for unauthorized Monero (XMR) mining.
However, the group has also shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers.
TeamTNT now further upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux devices.
Hiding in plain sight
“The group is using a new detection evasion tool, copied from open source repositories,” AT&T Alien Labs security researcher Ofer Caspi says in a report published today.
This tool is known as libprocesshider and is an open-source tool available on Github that can be used to hide any Linux process with the help of the ld preloader.
“The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique,” Caspi added.
The detection evasion tool is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.
Once the script gets launched on a compromised machine, it will execute a series of tasks that will allow it to:
- Modify the network DNS configuration.
- Set persistence through systemd.
- Drop and activate the new tool as service.
- Download the latest IRC bot configuration.
- Clear evidence of activities to complicate potential defender actions.
After going through all the steps, the Black-T malware will also automatically erase all malicious activity traces by deleting the system’s bash history.
“Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools,” Caspi concluded.
“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level.”