TeamTNT Cloaks Malware With Open-Source Tool

  • The detection-evasion tool, libprocesshider, hides TeamTNT’s malware from course of action-details applications.

    The TeamTNT risk team has included a new detection-evasion instrument to its arsenal, encouraging its cryptomining malware skirt by protection teams.

    The TeamTNT cybercrime team is identified for cloud-centered assaults, which include targeting Amazon Web Products and services (AWS) credentials in order to split into the cloud and use it to mine for the Monero cryptocurrency. It has also earlier qualified Docker and Kubernetes cloud scenarios.

    The new detection-evasion tool, libprocesshider, is copied from open up-supply repositories. The open-resource device, from 2014 has been situated on Github, and is explained as having capabilities to “hide a system under Linux utilizing the ld preloader.”

    “While the new functionality of libprocesshider is to evade detection and other essential features, it acts as an indicator to take into account when looking for destructive action on the host stage,” explained scientists with AT&T’s Alien Labs, on Wednesday.

    The new instrument is sent inside of a foundation64-encoded script, concealed in the TeamTNT cryptominer binary, or by using its Internet Relay Chat (IRC) bot, called TNTbotinger, which is capable of dispersed denial of support (DDoS) attacks.

    In the attack chain, right after the foundation64-encoded script is downloaded, it operates by way of several duties. These consist of modifying the network DNS configuration, placing persistence (as a result of systemd), downloading the most up-to-date IRC bot configuration, clearing evidence of pursuits – and dropping and activating libprocesshider. The resource is dropped as a hidden Tape Archive file (also known as the Tar format, which is made use of for open-supply application distribution) on the disk and then decompressed by the script and composed to ‘/usr/regional/lib/systemhealt.so’.

    libprocesshider then aims to hides the malicious process from course of action information and facts courses such as `ps’ and `lsof.’

    These are both approach-viewer tools, which use the file ‘/usr/bin/sbin. The ‘ps’ software (shorter for “process status”) displays now operating procedures in lots of Unix-like working techniques meanwhile, ‘lsof’ is a command (small for “list open up files”), also used in Unix-like working units to, as the name indicates, report a list of all open up information and the processes that opened them. Hiding the process from these two system-viewer resources would make it possible for the attacker to cloak its destructive exercise.

    libprocesshider makes use of a method known as preloading in order to hide its activity from ‘ps’ and ‘lsof.’ This course of action enables the technique to load a tailor made shared library before other procedure libraries are loaded.

    “If the personalized shared library exports a function with the very same signature of 1 found in the procedure libraries, the custom made model will override it,” claimed scientists.

    The uploaded custom made shared library then enables the tool to apply the perform readdir(). This functionality is used by procedures like `ps’ to examine the /proc listing to locate working procedures. It works by using this operate to modify the return worth, in situation ‘ps’ discover the malicious course of action, in buy to cover it.

    TeamTNT Carries on to Insert New Capabilities

    From time to time, TeamTNT has been noticed deploying several updates to its cryptomining malware, together with a new memory loader uncovered just a several weeks ago, which was primarily based on Ezuri and published in GOlang.

    In August, TeamTNT’s cryptomining worm was discovered spreading by means of the AWS cloud and accumulating qualifications. Then, following a hiatus, the TeamTNT team returned in September to attack Docker and Kubernetes cloud scenarios by abusing a legitimate cloud-monitoring software referred to as Weave Scope.

    Obtain our special Free Threatpost Insider Ebook Healthcare Security Woes Balloon in a Covid-Era Planet, sponsored by ZeroNorth, to find out a lot more about what these security risks mean for hospitals at the day-to-working day degree and how health care security teams can put into practice finest methods to secure providers and people. Get the full story and Download the E-book now – on us!