Bitcoin Forum>Other>Beginners & Help
Author

Topic: Team TNT: The first crypto-mining worm that steals AWS Credentials (Read 129 times)

cryptomaniac_xxx
hero member
Activity: 1344
Merit: 540
Team TNT: The first crypto-mining worm that steals AWS Credentials
January 29, 2021, 12:54:57 AM
#2
Now Team TNT has upgraded their malware to evade detection.

Quote
TeamTNT is mostly known for targeting and compromising Internet-exposed Docker instances for unauthorized Monero (XMR) mining.

However, the group has also shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers.

TeamTNT now further upgraded their malware to evade detection after infecting and deploying malicious coinminer payloads on Linux devices.

However, cyber threat investigators have unraveled how they do it:

Quote
"The group is using a new detection evasion tool, copied from open source repositories," AT&T Alien Labs security researcher Ofer Caspi says in a report published today.

This tool is known as libprocesshider and is an open-source tool available on Github that can be used to hide any Linux process with the help of the ld preloader.

"The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique," Caspi added.

The detection evasion tool is deployed on infected systems as a base64 encoded bash script embedded within the TeamTNT ircbot or cryptominer binary.

https://www.bleepingcomputer.com/news/security/linux-malware-uses-open-source-tool-to-evade-detection/
cryptomaniac_xxx
hero member
Activity: 1344
Merit: 540
Re: Team TNT: The first crypto-mining worm that steals AWS Credentials
August 18, 2020, 03:10:03 AM
#1
It looks like we have a new crypto mining worm that evolves and now are also crypto jacking our AWS credentials. According to this report from CadoSecurity,

Quote

Over the weekend we’ve seen a crypto-mining worm spread that steals AWS credentials. It’s the first worm we’ve seen that contains such AWS specific functionality. The worm also steals local credentials, and scans the internet for misconfigured Docker platforms. We have seen the attackers, who call themselves “TeamTNT”, compromise a number of Docker and Kubernetes systems.

These attacks are indicative of a wider trend. As organisations migrate their computing resources to cloud and container environments, we are seeing attackers following them there.


message when you see when it was first run

Below are some suggestions to help protect them:

Quote
- Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s  common to find development credentials have accidentally been left on production systems.
- Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.
- Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
- Review any connections sending the AWS Credentials file over HTTP.

https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
Bitcoin Forum>Other>Beginners & Help
Jump to: