28 January 2021

TeamTNT gang adds new detection evasion tool to its toolkit


TeamTNT gang adds new detection evasion tool to its toolkit

Operators of the TeamTNT crypto-mining malware have upgraded their operation with open-source detection evasion capabilities, according to researchers at AT&T Alien Labs.

The TeamTNT group has been active since April 2020 and has been known to target Docker and Kubernets installs. TeamTNT usually scans the internet in search of misconfigured Docker containers and infects them with a malicious cryptocurrency miner and a DDoS malware. It also can steal credentials from infected servers.

Now, it appears the group has added another tool to their list of capabilities. The tool, called libprocesshider, is an open source tool available on GitHub since 2014, which is described as "hide a process under Linux using the ld preloader.'' It is designed to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.

“The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide,” the researchers explained.

Libprocesshider is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.

Upon binary execution, the bash script will conduct numerous tasks, including:

  • Modify the network DNS configuration.

  • Set persistence through systemd.

  • Drop and activate the new tool as service.

  • Download the latest IRC bot configuration.

  • Clear evidence of activities to complicate potential defender actions.

The tool is first dropped as a hidden tar file on disk, the script then decompresses it and writes to '/usr/local/lib/systemhealt.so'. Next, it adds it preload via '/etc/ld.so.preload' to preload the file before other system libraries, which allows the attacker to override some common functions.

“Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools. While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” the research team wrote.

Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024