The TeamTNT cybercrime group has recently updated its crypto-mining worm with password-stealing capabilities and with an additional network scanner to make it easier to spread to other vulnerable devices.
While known mostly for actively targeting Docker instances to use compromised systems for unauthorized Monero (XMR) mining, the group now shifted their tactics by upgrading their cryptojacking malware to also collect user credentials.
As Unit 42 researchers found TeamTNT is hard at work boosting their malware's capabilities, this time adding memory password scraping capabilities via
mimipy (with support for Windows/Linux/macOS) and
mimipenguin (Linux support), two open-source Mimikatz equivalents targeting *NIX desktops.
Black-T, as the worm has been named by Unit 42, collects any plaintext passwords it finds in the compromised systems' memory and delivers them to TeamTNT's command and control servers.
"This is the first time TeamTnT actors have been witnessed including this type of post-exploitation operation in their TTPs," Unit 42 Senior Threat Researcher Nathaniel Quist explained in a
report published today.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
