TeamTNT distributes a miner that is not detected by security tools

Information security company specialists Cado Security discovered that the cryptojacking group TeamTNT is spreading a previously unknown strain of cryptocurrency mining malware Monero on compromised systems.

According to a Cado Security report, the artifact uploaded to VirusTotal shares several syntactic and semantic similarities with previous TeamTNT payloads and includes a wallet ID previously attributed to the group.

The TeamTNT group, which has been active since at least 2019, has repeatedly attacked cloud and container environments to deploy cryptocurrency miners. Hackers are also known to launch a cryptocurrency mining worm into the system that can steal AWS credentials.

The shell script takes the preparation steps to:

• reconfiguring hard limits on resource usage;
• prevention of command history registration;
• receive all incoming and outgoing traffic;
• enumeration of hardware resources;
• cleaning up previous compromises before launching an attack.

The malicious TeamTNT payload also uses a technique called “hijacking the dynamic linker” (Dynamic linker hijacking) to hide the process miner using a shared object executable called libprocesshider which uses the LD_PRELOAD environment variable.

Persistence is achieved in three different ways, one of which is modifying the “.profile” file to ensure that the miner continues to run across system reboots.

Cryptocurrency mining on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and service interruption. This allows attackers to gain access for further malicious activities.