Malware Hides Itself Using an Open Source Tool
The TeamTNT threat group has a new tool in its cryptomining malware. The new tool, libprocesshider, is copied from open-source repositories. The open-source tool, from 2014 has been in Github, and is has the ability to hide a process under Linux using the ld preloader. The TeamTNT cybercrime group is known for cloud based attacks, including targeting Amazon Web Services credentials to hack into the cloud and use it to mine the Monero cryptocurrency. It also targeted Docker and Kubernetes cloud instances.
The new functionality of libprocesshider is to avoid detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level according to AT&T's Alien Labs. The new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or via its Internet Relay Chat (IRC) bot, called TNTbotinger. The TNTbotinger is also capable of distributed denial of service attacks.
After the base64-encoded script is downloaded, it runs through multiple tasks including modifying the network DNS configuration, setting persistence through systemd, downloading the latest IRC bot configuration, and activating libprocesshider. The tool is hidden as a hidden tape archive file on the disk and then decompressed by the script and written to /usr/local/lib/systemhealt.so. Libprocesshider then hides the malicious process from process information programs such as ps and lsof. Libprocesshider uses a process called preloading in order to hide its activity. This process allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it.
TeamTNT has been seen deploying updates to its cryptomining malware, including a new memory loader, which was based on Ezuri and written in GOlang. In August, TeamTNT's cryptomining worm was discovered spreading through the AWS cloud and collecting credentials. After a brief hiatus, TeamTNT group returned in September to hack Docker and Kubernetes cloud instances by leveraging a legitimate cloud-monitoring tool called Weave Scope.