The TeamTNT cybercrime group has upgraded their Linux cryptocurrency miner by adding open-source detection evasion capabilities, AT&T Alien Labs researchers warn.
Early this year, researchers from Trend Micro discovered that the TeamTNT botnet was improved with the ability to steal Docker credentials.
The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.
“The group is using a new detection evasion tool, copied from open source repositories,” reads the analysis published by AT&T Alien Labs.
The threat actor behind the botnet used the new tool to hide the malicious process from process information programs such as `ps` and `lsof`and evading the detection.
The libprocesshider open-source tool is available on Github since 2014 and is able to “hide a process under Linux using the ld preloader.” The “preloading” technique allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of a library that is located in the system libraries, the custom version will override it.