Security News > 2021 > January > Linux malware uses open-source tool to evade detection

TeamTNT now further upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux devices.
"The group is using a new detection evasion tool, copied from open source repositories," AT&T Alien Labs security researcher Ofer Caspi says in a report published today.
This tool is known as libprocesshider and is an open-source tool available on Github that can be used to hide any Linux process with the help of the ld preloader.
The detection evasion tool is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.
"Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools," Caspi concluded.
One month later, the malware was observed by Intezer while deploying the legitimate Weave Scope open-source tool to take control of victims' Docker, Kubernetes, Distributed Cloud Operating System, or AWS Elastic Compute Cloud cloud infrastructure.
News URL
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Kunai: Open-source threat hunting tool for Linux (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- Open-source malware doubles, data exfiltration attacks dominate (source)