New TeamTNT Cryptojacking Marketing campaign Targets CentOS Servers with Rootkit
[ad_1]
The cryptojacking operation generally known as TeamTNT has possible resurfaced as a part of a brand new marketing campaign concentrating on Digital Personal Server (VPS) infrastructures based mostly on the CentOS working system.
“The preliminary entry was achieved through a Safe Shell (SSH) brute power assault on the sufferer’s belongings, throughout which the risk actor uploaded a malicious script,” Group-IB researchers Vito Alfano and Nam Le Phuong said in a Wednesday report.
The malicious script, the Singaporean cybersecurity firm famous, is accountable for disabling security measures, deleting logs, terminating cryptocurrency mining processes, and inhibiting restoration efforts.
The assault chains in the end pave the best way for the deployment of the Diamorphine rootkit to hide malicious processes, whereas additionally establishing persistent distant entry to the compromised host.
The marketing campaign has been attributed to TeamTNT with average confidence, citing similarities within the ways, methods, and procedures (TTPs) noticed.
TeamTNT was first found within the wild in 2019, enterprise illicit cryptocurrency mining actions by infiltrating cloud and container environments. Whereas the risk actor bid farewell in November 2021 by asserting a “clear stop,” public reporting has uncovered several campaigns undertaken by the hacking crew since September 2022.
The most recent exercise linked to the group manifests within the type of a shell script that first checks if it was beforehand contaminated by different cryptojacking operations, after which it precedes to impair machine safety by disabling SELinux, AppArmor, and the firewall.
 |
| Adjustments applied on ssh service |
“The script searches for a daemon associated to the cloud supplier Alibaba, named aliyun.service,” the researchers mentioned. “If it detects this daemon, it downloads a bash script from replace.aegis.aliyun.com to uninstall the service.”
Apart from killing all competing cryptocurrency mining processes, the script takes steps to execute a collection of instructions to take away traces left by different miners, terminate containerized processes, and take away pictures deployed in reference to any coin miners.
Moreover, it establishes persistence by configuring cron jobs that obtain the shell script each half-hour from a distant server (65.108.48[.]150) and modifying the “/root/.ssh/authorized_keys” file so as to add a backdoor account.
“It locks down the system by modifying file attributes, making a backdoor person with root entry, and erasing command historical past to cover its actions,” the researchers famous. “The risk actor leaves nothing to likelihood; certainly, the script implements numerous adjustments inside the SSH and firewall service configuration.”
[ad_2]
Source link