Security researchers have discovered that a notorious threat group has upgraded its arsenal with a new tool that enable its malware to avoid detection in Linux (opens in new tab).
Researchers at AT&T’s Alien Labs report that the TeamTNT cybercrime group (opens in new tab), known for its break-ins into popular cloud instances for mining cryptocurrency, is now using a detection-evasion tool that is based on the open source (opens in new tab) libprocesshider library.
The libprocesshider library describes itself as a means to “hide a process under Linux.”
- We’ve also compiled a list of the best antivirus products (opens in new tab)
- Here are some of the best malware removal software (opens in new tab)
- Stay safe with these best ransomware protection tools (opens in new tab)
Pulling a Keyser Soze
TeamTNT is infamous for targeting misconfigured Docker instances with crypto mining malware, and has recently upgraded to target Kubernetes installations, and also stealing AWS credentials.
According to reports, the group had recently shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers. It has now gone one step further and added the detection-evasion capabilities to the Black-T malware.
The researchers report that the new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or through its Internet Relay Chat (IRC) bot. Once delivered it then masks the malicious binary from process information tools such as ps and lsof.
The AT&T researchers note that TeamTNT is also known for deploying updates to its cryptomining malware with the previous one being a new memory loader based on Ezuri and written in GOlang.
“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” suggest the researchers.
- Subscribe to Linux Format magazine (opens in new tab) for more Linux and open source goodness
Via: BleepingComputer (opens in new tab)