TeamTNT Cloaks Malware With Open-Source Tool

2021-01-27 21:43

The TeamTNT threat group has added a new detection-evasion tool to its arsenal, helping its cryptomining malware skirt by defense teams.

The new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or via its Internet Relay Chat bot, called TNTbotinger, which is capable of distributed denial of service attacks.

"I've found several TeamTNT files on VirusTotal using that tool, and there is a high chance it's been uploaded by infected users and not by anyone related to TeamTNT, so I believe that it's being used in the wild," Ofer Caspi, security researcher at AT&T Alien Labs told Threatpost.

The tool is dropped as a hidden Tape Archive file on the disk and then decompressed by the script and written to '/usr/local/lib/systemhealt.

The uploaded custom shared library then allows the tool to implement the function readdir().

After a hiatus, the TeamTNT group returned in September to attack Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope.

News URL

https://threatpost.com/teamtnt-cloaks-malware-open-source-tool/163414/

#malware #opensource