TeamTNT, a cryptojacking malware that targets exposed Docker APIs, has gained a new capability of hiding its malicious processes. As spotted by researchers at AT&T Alien Labs, the TeamTNT botnet malware is using an open-source tool to hide its malicious process in the Linux machines, and wipe out its traces.
TeamTNT Malware Hides Using an Open-source Tool
First spotted by the MalwareHunterTeam, the TeamTNT botnet malware was hijacking the internet exposed Docker APIs to add them to its network and use their resources for mining Monero cryptocurrency. This malware has soon developed to gain the capabilities of stealing the Docker and AWS credentials.
Now, it’s reported by researchers at AT&T Alien Labs that, the authors of TeamTNT has developed the malware to use an open-source tool called “libprocesshider” (available in GitHub) to hide its malicious processes from detection. This tool was brought in along with the TeamTNT binary, as a base64 encoded bash script. Once executed, it has the power to;
- Modify the network DNS configuration.
- Set persistence through the system.
- Drop and activate the new tool as a service.
- Download the latest IRC bot configuration, and
- Clear evidence of activities to complicate potential defender actions.
The malware, named Black-T, is also capable of erasing all the history of its malicious activity from the system. Regarding this, Ofer Caspi, a researcher from the team said, “While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level.”
It shows how dedicated the authors of TeamTNT are in making this malware strong, as it has gained capabilities for stealing credentials and detection evasion in just a span of fewer than nine months. For fulfilling its objective, it consumes the resources of the host machine to mine Monero cryptocurrency for its makers.
