The TeamTNT threat group has added a new detection-evasion tool to its arsenal, helping its cryptomining malware skirt by defense teams.
The new detection-evasion tool, libprocesshider, is copied from open-source repositories. The open-source tool, from 2014 has been located on Github, and is described as having capabilities to “hide a process under Linux using the ld preloader.”
“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” said researchers with AT&T’s Alien Labs,
on Wednesday.
The new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or via
its Internet Relay Chat (IRC) bot, called TNTbotinger, which is capable of distributed denial of service (DDoS) attacks.
In the attack chain, after the base64-encoded script is downloaded, it runs through multiple tasks. These include modifying the network DNS configuration, setting persistence (through systemd), downloading the latest IRC bot configuration, clearing evidence of activities – and dropping and activating libprocesshider. [...]
threatpost.com
