TeamTNT delivers malware with new detection evasion tool
Executive Summary
LevelBlue Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.
The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.
Background
LevelBlue Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.
Analysis
The objective of the new tool is to hide the malicious process from process information programs.
The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as "hide a process under Linux using the ld preloader.'' Preloading allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it.
The tool implements the function read dir which is being used by processes such as ps to read the proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide.
p>The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot (figure 1):
Figure 1. base64 encoded script, via Alien Labs analysis.
Upon binary execution, the bash script will run through a multitude of tasks. Specifically, the script will:
- Modify the network DNS configuration.
- Set persistence through systemd.
- Drop and activate the new tool as service.
- Download the latest IRC bot configuration.
- Clear evidence of activities to complicate potential defender actions.
After decoding, we can observe the bash script functionality and how some malicious activity occurs before the shared library is created (figure 2):
Figure 2. Decoded bash script, via Alien Labs analysis.
The new tool is first dropped as a hidden tar file on disk, the script decompresses it, writes it to '/usr/local/lib/systemhealt.so', and then adds it preload via '/etc/ld.so.preload'. This will be used by the system to preload the file before other system libraries, allowing the attacker to override some common functions (figure 3/4).
Figure 3/4. bash script features, via Alien Labs analysis.
The main purpose of the tool is to hide the TeamTNT bot from process viewer tools, which use the file '/usr/bin/sbin' as you can see in Figure 3 and 4 (SETUP_IRCBOT function).
As final step, the malware will remove traces by deleting bash history:
Figure 5. bash script cleanup, via Alien Labs analysis.
Conclusion
p>Through the use of libprocesshider, TeamTNT once again expands their capabilities based on the available open source tools. While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level. Alien Labs will continue to monitor the threat and report on any noteworthy activity.
Appendix A. Detection Methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
| SURICATA IDS SIGNATURES |
| AV TROJAN TeamTNT CoinMiner Payload Download to clean up other Coinminers AV TROJAN TeamTNT Mining Worm Credential Exfiltration AV TROJAN TeamTNT CoinMiner Downloader ET TROJAN Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in DNS Query |
| YARA RULES |
rule team TNT_hide proc
{
meta:
sha256 = 02cde4109a12acb499953aa8c79917455b9f49837c7c1dbb13cbcf67e86a1555
strings:
$ code1 = {48 8B 15 ?? ?? 00 00 48 8B 85 ?? ?? FF FF 48 89 C7 FF D2 48 89 [2-5] 48 [3-6] 00 74 ?? 48 8D 8D F0 FD FF FF 48 8B 85 ?? FD FF FF BA 00 01 00 00 48 89 CE 48 89 C7 E8 ?? FD FF FF 85 C0 74 ?? 48 8D 85 F0 FD FF FF 48 8D 35 ?? ?? 00 00 48 89 C7 E8 ?? ?? FF FF 85 C0 75 ?? 48 8B [2-5] 48 8D 50 13 48 8D 85 F0 FE FF FF 48 89 C6 48 89 D7 E8 ?? ?? FF FF 85 C0 74 22 48 8B 15 ?? ?? 00 00 48 8D 85 F0 FE FF FF 48 89 D6 48 89 C7 E8 ?? ?? FF FF 85 C0 }
$s1 = readdir64
$s2 = dlsym
$s3 = _ITM_deregisterTMCloneTable
$s4 = frame_dummy
condition:
uint16(0) == 0x457f and
filesize < 25000 and
all of them
}
|
Appendix B. Associated Indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the blog.
div class="table-responsive margin-bottom30">
| TYPE |
INDICATOR |
DESCRIPTION |
| SHA256 |
73dec430b98ade79485f76d405c7a9b325df7492b4f97985499a46701553e34a |
ezuri packed, TeamTNT CryptoMiner |
| SHA256 |
cb013be7b5269c035495222198ec708c026c8db838031af60fd0bd984f34226f |
TeamTNT CryptoMiner |
| SHA256 |
02cde4109a12acb499953aa8c79917455b9f49837c7c1dbb13cbcf67e86a1555 |
TeanTNT hideprocess (systemhealt.so) |
| SHA256 |
b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d |
ziggy_spread - TeamTNT IRC bot |
| Domain |
C2 Server |
Feedback
LevelBlue Labs welcomes feedback about this blog.