Researchers have discovered the latest cryptojacking malware gambit from TeamTNT, called Black-T. The variant builds on the group’s typical approach, with a few new — and sophisticated — extras.
TeamTNT is known for its targeting of Amazon Web Services (AWS) credentials, to break into the cloud and use it to mine for the Monero cryptocurrency. But according to researchers with Palo Alto Network’s Unit 42, with Black-T, the group has added in additional capabilities to its tactics, techniques and procedures (TTPs). These include the addition of sophisticated network scanners; the targeting of competitor XMR mining tools on the network; and the use of password scrapers.
What TeamTNT plans to do with the saved passwords and additional capabilities is still unclear, but the development signals that the group doesn’t plan to slow down anytime soon.
In August, TeamTNT was identified by researchers as the first cryptojacking group to specifically target AWS. With increasingly sophisticated TTPs, the cybercriminal gang appears to be gaining steady momentum. Just last month, TeamTNT was discovered to have been leveraging a common open-source cloud monitoring tool called Weave Scope, to infiltrate the cloud and execute commands without breaching the server.
Black-T represents a notable jump forward in the operation’s sophistication, researchers said.
Once deployed, the first order of business for Black-T is to disable any other malware competing for processing power, including Kinsing, Kswapd0, ntpd miner, redis-backup miner, auditd miner, Migration miner, the Crux worm and Crux worm miner. Ironically, the fact that TeamTNT identified these competitors in their malware gives security professionals a critical heads-up to be on the lookout for potential threats from these groups, Unit 42 said.
This kind of cyberjacking turf warfare isn’t new, but it appears to be accelerating.
“The battle for cloud resources will continue well into the future,” Nathaniel Quist, senior threat researcher for Unit 42 said. “In the past, attacker groups like Rocke and Pacha would battle for resources. TeamTNT is battling with Kinsing malware and Crux worm today. I believe that this battle for resources will increase and attacker groups will look for other opportunities to use cloud resources. We can see this now with TeamTNT collecting passwords and AWS credentials in an attempt to expand and maintain a cloud presence.”
After it eliminates the competition, Black-T installs masscan, libpcap to listen to various resources on the network, including pnscan, zgrab, Docker and jq (the latter is a flexible command-line JSON processor, according to Unit 42).
“TeamTNT is investing more resources into scanning operations, likely with the intent to identify and compromise more cloud systems,” Quist added. “Zmap is a known open-source scanning solution and with the creation of zgrab, a GoLang tool written for zmap, it is attempting to capitalize on the added benefits of the Go programming language, such as speed and performance increases. It is likely that TeamTNT actors are attempting to refine their scanning capabilities to make them faster, more accurate and less resource-intensive.”
Next, Black-T fetches various downloads: Beta to create a new directory; the mimipy and mimipenquin password scraping tools; and the XMR mining software called bd.
“The inclusion of memory password-scraping tools should be considered an evolution of tactics,” Quist said. “TeamTNT has already integrated the collection and exfiltration of AWS credentials from compromised cloud systems, which provides post-exploitation capabilities. By adding memory password-scraping capabilities, TeamTNT actors are increasing their chances in gaining persistence within cloud environments.”
The use of worms like masscan or pnscan by TeamTNT isn’t new, but Unit 42 noticed Black-T adds a new scanning port. Researchers wonder whether this signals the group has figured out how to target Android devices as well.
As remote work and cost savings continue to drive computing to the cloud, more groups like TeamTNT are sure to emerge ready to take advantage, according to Quist. Admins should take steps to ensure that Docker and daemon APIs, as well as any other sensitive network services, aren’t exposed, so that the cloud can be protected from the next evolution of cloud cryptojackers, he added.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.