Cado Security has identified a new strain of malware used to mine Monero cryptocurrency on compromised systems, which is believed to have been developed by the cryptojacking group known as TeamTNT.
The malware was discovered after Sysdig highlighted an attack called SCARLETEEL, which was aimed at containerized environments and designed to steal proprietary data and software. While there is no concrete evidence to connect the new malware to the SCARLETEEL attack, the sample appeared around the same time the latter was reported, leading Cado Security to suggest that it may have been used as a decoy to conceal data exfiltration.
TeamTNT has been active since 2019 and has repeatedly attacked cloud and container environments to deploy cryptocurrency miners.
The group is also known for unleashing a crypto mining worm that can steal AWS credentials. While the threat actor voluntarily shut down its operations in November 2021, cloud security firm Aqua disclosed a fresh set of attacks by the group in September 2022, targeting misconfigured Docker and Redis instances.
Rival crews such as WatchDog are also thought to be mimicking TeamTNT’s tactics, techniques, and procedures (TTPs) to foil attribution efforts.
The newly discovered malware uses a shell script that takes preparatory steps to reconfigure resource hard limits, prevent command history logging, accept all ingress or egress traffic, enumerate hardware resources, and clean up prior compromises before starting the mining activity. The malicious payload also leverages a technique called dynamic linker hijacking to cloak the miner process through a shared object executable called libprocesshider, using the LD_PRELOAD environment variable.