TeamTNT’s Undetectable Miner Circulates

Specialists from the IB company Cado Security have uncovered a previously unknown strain of malware for mining Monero cryptocurrency on compromised systems, distributed by the TEAMTNT group.

Cado Security has discovered that the artifact loaded on Virustotal has several syntactic and semantic similarities with previous useful loads of Teamtnt and includes a wallet identifier, which was previously attributed to the group.

The TEAMTNT group has been active since 2019 and has repeatedly attacked cloud and container environments for the deployment of cryptocurrency miners. They are also known to launch a cryptocurrency mining system that can steal the accounting data on AWS.

The shell script deployed by the malware performs preparatory steps for redistribution of rigid restrictions on the use of resources, prevents registration of the history of commands, takes all incoming and outgoing traffic, transfers hardware resources, and cleanses previously compromised systems before the attack.

Malicious useful load TeamTnt also uses a method called ‘Dynamic Linker Hijacking’ to hide the miner process using a general object called LIBPROCESSHIDER which uses the variable environment LD_Preload. Constancy is achieved in three different ways, one of which changes the ‘profile’ file to guarantee that the miner continues to operate when the system is rebooted.

Cado Security warns that cryptocurrency mining in an organization’s network can lead to a deterioration in system performance, increased energy consumption, overheating of equipment and stopping services, allowing attackers to access further malicious actions.

The discovery of this malware further underscores the need for robust cybersecurity measures to protect against such attacks.

/Reports, release notes, official announcements.