Linux malware uses open-source tool to evade detection

Image: Moritz Kindler

AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities.

TeamTNT is mostly known for targeting and compromising Internet-exposed Docker instances for unauthorized Monero (XMR) mining.

However, the group has also shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers.

TeamTNT now further upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux devices.

Hiding in plain sight

“The group is using a new detection evasion tool, copied from open source repositories,” AT&T Alien Labs security researcher Ofer Caspi says in a report published today.

This tool is known as libprocesshider and is an open-source tool available on Github that can be used to hide any Linux process with the help of the ld preloader.

“The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique,” Caspi added.

The detection evasion tool is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.

Decoded process hiding script
Decoded process hiding script (AT&T Alien Labs)

Once the script gets launched on a compromised machine, it will execute a series of tasks that will allow it to:

  • Modify the network DNS configuration.
  • Set persistence through systemd.
  • Drop and activate the new tool as service.
  • Download the latest IRC bot configuration.
  • Clear evidence of activities to complicate potential defender actions.

After going through all the steps, the Black-T malware will also automatically erase all malicious activity traces by deleting the system’s bash history.

“Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools,” Caspi concluded.

“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level.”

Botnet upgrades

The crypto-mining botnet was first spotted in May 2020 by MalwareHunterTeam and later analyzed by Trend Micro who discovered its Docker targeting affinity.

After the malware infects a misconfigured server, it will deploy itself in new containers and drop a malicious payload binary that starts mining for Monero (XMR) cryptocurrency.

In August, Cado Security spotted TeamTNT worm’s new AWS credentials harvesting feature, making it the first cryptojacking botnet with this capability.

One month later, the malware was observed by Intezer while deploying the legitimate Weave Scope open-source tool to take control of victims’ Docker, Kubernetes, Distributed Cloud Operating System (DC/OS), or AWS Elastic Compute Cloud (ECS) cloud infrastructure.

Earlier this month, TeamTNT started using the open-source Ezuri crypter and memory loader to make their malware virtually undetectable by antivirus products.