TeamTNT group adds new detection evasion tool to its Linux miner

The TeamTNT cybercrime group has improved its Linux cryptocurrency miner by implementing open-source detection evasion capabilities.

The TeamTNT cybercrime group has upgraded their Linux cryptocurrency miner by adding open-source detection evasion capabilities, AT&T Alien Labs researchers warn.

Early this year, researchers from Trend Micro discovered that the TeamTNT botnet was improved with the ability to steal Docker credentials.

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.

“The group is using a new detection evasion tool, copied from open source repositories,” reads the analysis published by AT&T Alien Labs.

The threat actor behind the botnet used the new tool to hide the malicious process from process information programs such as `ps` and `lsof`and evading the detection.

The libprocesshider open-source tool is available on Github since 2014 and is able to “hide a process under Linux using the ld preloader.” The “preloading” technique allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of a library that is located in the system libraries, the custom version will override it.

The tool implements the function readdir() which is used by processes such as `ps` to read the /proc directory to find running processes. The shared library implements a version of the function that hides matches between the processes found and the process that attackers want to hide.

The open-source tool is deployed within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot

Upon executing the bash script, it will execute multiple tasks to:

• Modify the network DNS configuration.
• Set persistence through systemd.
• Drop and activate the new tool as service.
• Download the latest IRC bot configuration.
• Clear evidence of activities to complicate potential defender actions.

The new tool is initially dropped as a hidden tar file on disk, then it is decompressed by the script, it is written to ‘/usr/local/lib/systemhealt.so’, and then added to ‘/etc/ld.so.preload’. In this way the preloading technique is implemented and the attacker can override common functions 

“Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools,” concludes the report.

“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]