Skip to main content

This Linux malware uses open source software to hide its malicious processes

Lock
(Image credit: Shutterstock)

Security researchers have discovered that a notorious threat group has upgraded its arsenal with a new tool that enable its malware to avoid detection in Linux

Researchers at AT&T’s Alien Labs report that the TeamTNT cybercrime group, known for its break-ins into popular cloud instances for mining cryptocurrency, is now using a detection-evasion tool that is based on the open source libprocesshider library.

The libprocesshider library describes itself as a means to “hide a process under Linux.”

Pulling a Keyser Soze

TeamTNT is infamous for targeting misconfigured Docker instances with crypto mining malware, and has recently upgraded to target Kubernetes installations, and also stealing AWS credentials.

According to reports, the group had recently shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers. It has now gone one step further and added the detection-evasion capabilities to the Black-T malware.

The researchers report that the new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or through its Internet Relay Chat (IRC) bot. Once delivered it then masks the malicious binary from process information tools such as ps and lsof.

The AT&T researchers note that TeamTNT is also known for deploying updates to its cryptomining malware with the previous one being a new memory loader based on Ezuri and written in GOlang.

“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” suggest the researchers.

Via: BleepingComputer