Operators of the TeamTNT crypto-mining malware have upgraded their operation with open-source detection evasion capabilities, according to researchers at AT&T Alien Labs.
The TeamTNT group has been active since April 2020 and has been known to target Docker and Kubernets installs. TeamTNT usually scans the internet in search of misconfigured Docker containers and infects them with a malicious cryptocurrency miner and a DDoS malware. It also can steal credentials from infected servers.
Now, it appears the group has added another tool to their list of capabilities. The tool, called libprocesshider, is an open source tool available on GitHub since 2014, which is described as "hide a process under Linux using the ld preloader.'' It is designed to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.
“The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide,” the researchers explained.
Libprocesshider is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.
Upon binary execution, the bash script will conduct numerous tasks, including:
Modify the network DNS configuration.
Set persistence through systemd.
Drop and activate the new tool as service.
Download the latest IRC bot configuration.
Clear evidence of activities to complicate potential defender actions.
The tool is first dropped as a hidden tar file on disk, the script then decompresses it and writes to '/usr/local/lib/systemhealt.so'. Next, it adds it preload via '/etc/ld.so.preload' to preload the file before other system libraries, which allows the attacker to override some common functions.
“Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools. While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” the research team wrote.