The detection-evasion tool, libprocesshider, hides TeamTNT’s malware from process-information programs.
The TeamTNT threat group has added a new detection-evasion tool to its arsenal, helping its cryptomining malware skirt by defense teams.
The TeamTNT cybercrime group is known for cloud-based attacks, including targeting Amazon Web Services (AWS) credentials in order to break into the cloud and use it to mine for the Monero cryptocurrency. It has also previously targeted Docker and Kubernetes cloud instances.
The new detection-evasion tool, libprocesshider, is copied from open-source repositories. The open-source tool, from 2014 has been located on Github, and is described as having capabilities to “hide a process under Linux using the ld preloader.”
“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” said researchers with AT&T’s Alien Labs, on Wednesday.
The new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or via its Internet Relay Chat (IRC) bot, called TNTbotinger, which is capable of distributed denial of service (DDoS) attacks.
In the attack chain, after the base64-encoded script is downloaded, it runs through multiple tasks. These include modifying the network DNS configuration, setting persistence (through systemd), downloading the latest IRC bot configuration, clearing evidence of activities – and dropping and activating libprocesshider. The tool is dropped as a hidden Tape Archive file (also known as the Tar format, which is used for open-source software distribution) on the disk and then decompressed by the script and written to ‘/usr/local/lib/systemhealt.so’.
libprocesshider then aims to hides the malicious process from process information programs such as `ps’ and `lsof.’
These are both process-viewer tools, which use the file ‘/usr/bin/sbin. The ‘ps’ program (short for “process status”) displays currently running processes in many Unix-like operating systems; meanwhile, ‘lsof’ is a command (short for “list open files”), also utilized in Unix-like operating systems to, as the name suggests, report a list of all open files and the processes that opened them. Hiding the process from these two process-viewer tools would allow the attacker to cloak its malicious activity.
libprocesshider uses a process called preloading in order to hide its activity from ‘ps’ and ‘lsof.’ This process allows the system to load a custom shared library before other system libraries are loaded.
“If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it,” said researchers.
The uploaded custom shared library then allows the tool to implement the function readdir(). This function is utilized by processes like `ps’ to read the /proc directory to find running processes. It uses this function to modify the return value, in case ‘ps’ find the malicious process, in order to hide it.
TeamTNT Continues to Add New Features
From time to time, TeamTNT has been seen deploying various updates to its cryptomining malware, including a new memory loader uncovered just a few weeks ago, which was based on Ezuri and written in GOlang.
In August, TeamTNT’s cryptomining worm was discovered spreading through the AWS cloud and collecting credentials. Then, after a hiatus, the TeamTNT group returned in September to attack Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!