Cryptojacking group known as Team TNT It is suspected behind a previously undiscovered strain of malware used to mine the Monero cryptocurrency on compromised systems.
This comes from Cado Security, which discovered the sample after Sysdig detailed a sophisticated attack known as SCARLETEEL that ultimately targeted containerized environments to steal proprietary data and software.
Specifically, cryptocurrency miners were used early in the attack chain. The cloud security company suspected it was deployed as a decoy to mask data exfiltration detection.
Artifact – Uploaded to VirusTotal late last month – “Bear[s] It has some syntactic and semantic similarities to previous TeamTNT payloads, including wallet identities that were previously attributed to them,” Cado Security’s new analysis reveals.
TeamTNT, active since at least 2019, has been documented to repeatedly attack cloud and container environments to deploy cryptocurrency miners. It has also been known to unleash a crypto-mining worm that can steal AWS credentials.
While the attackers voluntarily shut down their operations in November 2021, cloud security company Aqua was newly attacked in September 2022 by a group targeting improperly configured Docker and Redis instances. Revealed a series of attacks that were staged.
That said, there are also indications that rival crews such as WatchDog may be mimicking TeamTNT’s Tactics, Techniques, and Procedures (TTPs) to thwart attribution efforts.
Another notable activity cluster is Kiss-a-dog. It also relies on the tools and command and control (C2) infrastructure previously associated with TeamTNT to mine cryptocurrency.
There is no concrete evidence linking the new malware to the SCARLETEEL attack. However, Cado Security noted that the sample surfaced around the same time the latter was reported, raising the possibility that this is an installed “decoy” miner.
The shell script reconfigures resource hard limits, prevents command history logging, accepts all ingress or egress traffic, enumerates hardware resources, and cleans up previous compromises before beginning activity Perform preparatory steps to
Similar to other TeamTNT-related attacks, the malicious payload utilizes a technique called dynamic linker hijacking to cloak the miner process via a shared object executable called libprocesshider using the LD_PRELOAD environment variable. To do.
Persistence is achieved through three different means. One of them modifies the .profile file so that the miner continues running after system reboot.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The findings follow the confirmation that another cryptocurrency miner group called the 8220 Gang is using a crypter called ScrubCrypt to carry out illegal cryptojacking operations.
Additionally, an unknown actor has been spotted targeting a vulnerable Kubernetes container orchestrator infrastructure, using exposed APIs to mine the cryptocurrency Dero, marking a move away from Monero.
Cybersecurity firm Morphisec also unveiled an evasive malware campaign last month that used the ProxyShell vulnerability in Microsoft Exchange servers to drop cryptominer stock codenamed ProxyShellMiner.
“Cryptocurrency mining on an organization’s network can cause system performance degradation, increased power consumption, equipment overheating, and service outages,” the researchers said. “This gives attackers access for even more nefarious purposes.”
