TeamTNT delivers malware with new detection evasion tool

January 27, 2021 | Ofer Caspi

Executive Summary

AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.

The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.

Background

AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.

Analysis

The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.

The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as "hide a process under Linux using the ld preloader.'' Preloading allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it.

The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide.

The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot (figure 1):

base64 script

Figure 1. base64 encoded script, via Alien Labs analysis.

Upon binary execution, the bash script will run through a multitude of tasks. Specifically, the script will:

  • Modify the network DNS configuration.
  • Set persistence through systemd.
  • Drop and activate the new tool as service.
  • Download the latest IRC bot configuration.
  • Clear evidence of activities to complicate potential defender actions.

After decoding, we can observe the bash script functionality and how some malicious activity occurs before the shared library is created (figure 2):

bash script functionality

Figure 2. Decoded bash script, via Alien Labs analysis.

The new tool is first dropped as a hidden tar file on disk, the script decompresses it, writes it to '/usr/local/lib/systemhealt.so', and then adds it preload via '/etc/ld.so.preload'. This will be used by the system to preload the file before other system libraries, allowing the attacker to override some common functions (figure 3/4).

preload file 1

preload file 2

Figure 3/4. bash script features, via Alien Labs analysis.

The main purpose of the tool is to hide the TeamTNT bot from process viewer tools, which use the file '/usr/bin/sbin' as you can see in Figure 3 and 4 (SETUP_IRCBOT function).

As final step, the malware will remove traces by deleting bash history:

deleting bash history

Figure 5. bash script cleanup, via Alien Labs analysis.

Conclusion

Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools. While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level. Alien Labs will continue to monitor the threat and report on any noteworthy activity.

Appendix A. Detection Methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

AV TROJAN TeamTNT CoinMiner Payload Download to clean up other Coinminers

AV TROJAN TeamTNT Mining Worm Credential Exfiltration

AV TROJAN TeamTNT CoinMiner Downloader

ET TROJAN Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in DNS Query

 

YARA RULES

rule teamTNT_hideproc

{

    meta:

        sha256 = "02cde4109a12acb499953aa8c79917455b9f49837c7c1dbb13cbcf67e86a1555"

    strings:

        $code1 = {48 8B 15 ?? ?? 00 00 48 8B 85 ?? ?? FF FF 48 89 C7 FF D2 48 89 [2-5] 48 [3-6] 00 74 ?? 48 8D 8D F0 FD FF FF 48 8B 85 ?? FD FF FF BA 00 01 00 00 48 89 CE 48 89 C7 E8 ?? FD FF FF 85 C0 74 ?? 48 8D 85 F0 FD FF FF 48 8D 35 ?? ?? 00 00 48 89 C7 E8 ?? ?? FF FF 85 C0 75 ?? 48 8B [2-5] 48 8D 50 13 48 8D 85 F0 FE FF FF 48 89 C6 48 89 D7 E8 ?? ?? FF FF 85 C0 74 22 48 8B 15 ?? ?? 00 00 48 8D 85 F0 FE FF FF 48 89 D6 48 89 C7 E8 ?? ?? FF FF 85 C0 }

        $s1 = "readdir64"

        $s2 = "dlsym"

        $s3 = "_ITM_deregisterTMCloneTable"

        $s4 = "frame_dummy"

    condition:

        uint16(0) == 0x457f and

        filesize < 25000 and

        all of them

}

 

 

AGENT SIGNATURES

"detection_suspicious_ld_preload_environment_variable": {"platform": "linux", "description": "Detects usage of the ld_preload env variable ", "query": "SELECT process_envs.pid as source_process_id, process_envs.key as environment_variable_key, process_envs.value as environment_variable_value, processes.name as source_process, processes.path as file_path, processes.cmdline as source_process_commandline, processes.cwd as current_working_directory, 'T1055' as event_attack_id, 'Process Injection' as event_attack_technique, 'Defense Evasion, Privilege Escalation' as event_attack_tactic FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", "interval": "60","removed": "false"}

 

Appendix B. Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the blog.

TYPE

INDICATOR

DESCRIPTION

SHA256

73dec430b98ade79485f76d405c7a9b325df7492b4f97985499a46701553e34a

ezuri packed, TeamTNT CryptoMiner

SHA256

cb013be7b5269c035495222198ec708c026c8db838031af60fd0bd984f34226f

TeamTNT CryptoMiner

SHA256

02cde4109a12acb499953aa8c79917455b9f49837c7c1dbb13cbcf67e86a1555

TeanTNT hideprocess (systemhealt.so)

SHA256

b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d

ziggy_spread - TeamTNT IRC bot

Domain

kaiserfranz[.]cc

C2 Server

 

Feedback

AT&T Alien Labs welcomes feedback about this blog. Please contact the Alien Labs blog author or contact labs@alienvault.com. 

Ofer Caspi

About the Author: Ofer Caspi

Ofer is a Security Researcher at Alien Labs, part of the AT&T Cybersecurity. He can be found on LinkedIn and Twitter (@ShablolForce)

Read more posts from Ofer Caspi ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via email

RSS

Watch a demo ›
Get price Free trial