Linux-based machines are no longer considered a major deterrent for cybercriminal groups, who are embracing the operating system as a target. This is particularly true when workplaces leverage the cloud to deploy Linux-based containerization technology.
Case in point: researchers are warning that several cyber gangs have started infecting Linux machines via a fileless malware installation technique that until recently was more commonly used against Windows-based systems.
One of the gangs on the forefront of this trend is TeamTNT, which AT&T Alien Labs this week reported is using the new “Ezuri” downloader to decrypt, install and execute a final malware payload from memory, without ever writing to disk.
The Golang language-based downloader is an ELF (Executive and Linkable Format) file that was created back in March 2019 and posted on GitHub. According to a blog post jointly authored by researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs, the tool is an intuitive one to use.
“When executing, it first asks the path for the payload to be encrypted, along with the password to be used for AES encryption. If no password is given, the tool generates one, which is used to hide the malware within the loader. After the user’s input, the packer compiles the loader with the payload encrypted within it, so it can be decrypted and executed in memory once it is placed in the victim’s system,” the blog posts reads.
Though not the only group using this tool, TeamTNT garnered special attention from the blog post. Active since April 2020, the group is known for targeting misconfigured Docker systems and vulnerable management APIs as a means to install DDoS bots and monero-hunting cryptominers in infected systems.
Asked if Linux has become TeamTNT’s main strategic target, Tom Hegel, security researcher at AT&T Cybersecurity’s Alien Labs, told SC Media: “TeamTNT is more cloud-focused than Linux, but they overlap well in this case. The group tends to target cloud-standard resources and [operating systems], such as docker and *nix.”
There’s a reason Linux and the cloud overlap well. As more workplaces embrace cloud environments, Linux-based Docker containers are becoming more popular since they are relatively easy to deploy in a cloud, explained a May 2020 Trend Micro blog post detailing TeamTNT activity.
Just this morning, Trend Micro issued a new report on TeamTNT, detailing a recent campaign targeting container platforms that uses shell scripts to not only deploy cryptominers, but also steal Docker API and AWS credentials. “The shell script also downloads some greyware tools that will be used in the future to look into other targets. These tools perform network scanning and mapping and will be used to search and map new vulnerable container APIs,” the blog post states.
Trend Micro has also observed other malware groups engaging in similar behaviors.
“We have started to see more focus on Linux as a primary target. Kinsing malware is a great example,” Trend Micro researcher Erin Johnson told SC Media, referring to another Golang-based Linux agent that targets Docker in order to install cryptominers. “We expect this trend to continue as actors find more ways to monetize cloud environments and IoT devices.”
Last October, Palo Alto Networks’ Unit 42 research team reported finding a new variant TeamTNT’s cryptominer called Black-T, which can kill competing cryptojacking worm on an infected machine, and *nix versions of the Windows-based Mimikatz tool to employe memory password scraper functionality.
According to AT&T Alien Labs, one of the samples listed by Unit 42 is an Ezuri loader that delivers an ELF file packed with UPX. “Using this packer, the antivirus (AV) detection drops dramatically,” the report says. Indeed, the pre-Ezuri packer TeamTNT malware was detected 28 out of 62 times in VirusTotal, but the Ezuri-packed version was detected in only three out of 64 cases.
The AT&T Alien Labs, Trend Micro and Unit 42 blog posts include detection methods, indicators of compromise and/or defensive tips pertaining to TeamTNT’s threats.