TeamTNT distributes a miner that is not detected by security tools

2 months ago · 0 comments

A previously unknown strain persists even after a system reboot and remains invisible.

Security company Cado Security has discovered that the TeamTNT cryptojacking group is spreading a previously unknown strain of Monero cryptocurrency mining malware on compromised systems.

According to a Cado Security report, the artifact uploaded to VirusTotal shares several syntactic and semantic similarities with previous TeamTNT payloads and includes a wallet ID previously attributed to the group.

The TeamTNT group, which has been active since at least 2019, has repeatedly attacked cloud and container environments to deploy cryptocurrency miners. Hackers are also known to launch a cryptocurrency mining worm into the system that can steal AWS credentials.

The shell script takes the preparation steps to:

reconfiguring hard limits on resource usage;
prevention of command history registration;
receive all incoming and outgoing traffic;
enumeration of hardware resources;
cleaning up previous compromises before launching an attack.

The TeamTNT malicious payload also uses a technique called Dynamic linker hijacking to hide the miner process with a shared object executable called libprocesshider that uses the LD_PRELOAD environment variable.

Persistence is achieved in three different ways, one of which is modifying the ".profile" file to ensure that the miner continues to run across system reboots.

Cryptocurrency mining on an organization's network can lead to system performance degradation, increased power consumption, equipment overheating, and service interruption. This allows attackers to gain access for further malicious activities.