The cryptojacking group generally known as TeamTNT is suspected to be behind a beforehand undiscovered pressure of malware used to mine Monero cryptocurrency on compromised methods.
That is in keeping with Cado Safety, which discovered the pattern after Sysdig detailed a complicated assault generally known as SCARLETEEL aimed toward containerized environments to in the end steal proprietary knowledge and software program.
Particularly, the early section of the assault chain concerned using a cryptocurrency miner, which the cloud safety agency suspected was deployed as a decoy to hide the detection of knowledge exfiltration.
The artifact – uploaded to VirusTotal late final month – “bear[s] a number of syntactic and semantic similarities to prior TeamTNT payloads, and features a pockets ID that has beforehand been attributed to them,” a brand new evaluation from Cado Safety has revealed.
TeamTNT, energetic since not less than 2019, has been documented to repeatedly strike cloud and container environments to deploy cryptocurrency miners. It is also recognized to unleash a crypto mining worm able to stealing AWS credentials.
Whereas the risk actor willingly shut down their operations in November 2021, cloud safety agency Aqua disclosed in September 2022 a contemporary set of assaults mounted by the group concentrating on misconfigured Docker and Redis situations.
That stated, there are additionally indications that rival crews corresponding to WatchDog is perhaps mimicking TeamTNT’s ways, strategies, and procedures (TTPs) to foil attribution efforts.
One other exercise cluster of observe is Kiss-a-dog, which additionally depends on instruments and command-and-control (C2) infrastructure beforehand related to TeamTNT to mine cryptocurrency.
There isn’t any concrete proof to tie the brand new malware to the SCARLETEEL assault. However Cado Safety identified that the pattern surfaced across the similar time the latter was reported, elevating the likelihood that this may very well be the “decoy” miner that was put in.
The shell script, for its half, takes preparatory steps to reconfigure useful resource arduous limits, stop command historical past logging, settle for all ingress or egress visitors, enumerate {hardware} sources, and even clear up prior compromises earlier than commencing the exercise.
Like different TeamTNT-linked assaults, the malicious payload additionally leverages a method known as dynamic linker hijacking to cloak the miner course of through a shared object executable known as libprocesshider that makes use of the LD_PRELOAD atmosphere variable.
Persistence is achieved by three completely different means, one in every of which modifies the .profile file, to make sure that the miner continues to run throughout system reboots.
Uncover the Hidden Risks of Third-Get together SaaS Apps
Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be part of our webinar to be taught concerning the varieties of permissions being granted and find out how to reduce danger.
The findings come as one other crypto miner group dubbed the 8220 Gang has been noticed utilizing a crypter known as ScrubCrypt to hold out illicit cryptojacking operations.
What’s extra, unknown risk actors have been discovered concentrating on weak Kubernetes container orchestrator infrastructure with uncovered APIs to mine the Dero cryptocurrency, marking a shift from Monero.
Cybersecurity firm Morphisec, final month, additionally make clear an evasive malware marketing campaign that leverages the ProxyShell vulnerabilities in Microsoft Alternate servers to drop a crypto miner pressure codenamed ProxyShellMiner.
“Mining cryptocurrency on a company’s community can result in system efficiency degradation, elevated energy consumption, tools overheating, and might cease providers,” the researchers stated. “It permits risk actors entry for much more nefarious ends.”