A new variant of cryptojacking malware from threat group TeamTnT has been uncovered by Palo Alto Networks’ danger intelligence workforce, Unit 42.
The malware, named Black-T, “gives evidence of a change in strategies, tactics and procedures (TTPs)” for functions performed by TeamTNT, a group identified for focusing on AWS credential information on compromised cloud programs and mine for Monero.
Even though Device 42 scientists noticed that standard TeamTNT TTPs of targeting exposed Docker daemon APIs and undertaking scanning and cryptojacking functions on susceptible units of afflicted organizations are adopted by Black-T, code in the malware demonstrates it has increased capabilities.
These involve the focusing on and stopping of cryptojacking worms such as the Crux worm, ntpd miner and a redis-bakup miner, that have been formerly unidentified. Another is the use of memory password scraping functions by way of mimipy and mimipenguins, with the identification of passwords by means of mimipenguins exfiltrated to a TeamTNT command and regulate node.
In addition, the scientists uncovered that Black T is equipped to extend TeamTNTs cryptojacking functions by employing a few diverse network scanning equipment to identify excess Docker daemon APIs that are current in the area network of the compromised technique as nicely as throughout any selection of publicly available networks. While two of these, masscan and pnscan, have previously been made use of by the team, the introduction of zgrab is the to start with time that a GoLang tool has been observed to be included in TeamTNT’s arsenal.
Palo Alto Networks stated: “TeamTnT is a cloud-centered cryptojacking group which targets uncovered Docker daemon APIs. Upon prosperous identification and exploitation of the Docker daemon API, TeamTnT will fall the new cryptojacking variant Black-T.”
Talking to Infosecurity, Nathaniel Quist, senior danger researcher at Device 42, Palo Alto Networks mentioned: “As TeamTnT now capabilities, they are very opportunistic and are indiscriminate in who they target. It appears they are a lot more interested in exploiting providers to steal as numerous computational procedures as they can, somewhat than concentrating on precise sectors.”
He added: “COVID-19 pushed many organizations towards cloud infrastructure a little bit more quickly, so it can be probable that we are going to see cloud targeted-malware evolve to use additional innovative techniques as a outcome, supplied the improved opportunity.”
Some sections of this post are sourced from: