New Cryptojacking Malware Variant Targeting Cloud Systems Discovered

A new variant of cryptojacking malware from threat group TeamTnT has been uncovered by Palo Alto Networks’ threat intelligence team, Unit 42.

The malware, named Black-T, “gives evidence of a shift in tactics, techniques and procedures (TTPs)” for operations conducted by TeamTNT, a group known for targeting AWS credential files on compromised cloud systems and mine for Monero.

While Unit 42 researchers observed that traditional TeamTNT TTPs of targeting exposed Docker daemon APIs and undertaking scanning and cryptojacking operations on vulnerable systems of affected organizations are followed by Black-T, code in the malware shows it has enhanced capabilities.

These include the targeting and stopping of cryptojacking worms such as the Crux worm, ntpd miner and a redis-bakup miner, that were previously unknown. Another is the use of memory password scraping operations via mimipy and mimipenguins, with the identification of passwords through mimipenguins exfiltrated to a TeamTNT command and control node.

In addition, the researchers found that Black T is able to extend TeamTNTs cryptojacking operations by using three different network scanning tools to identify extra Docker daemon APIs that are present in the local network of the compromised system as well as across any number of publicly accessible networks. While two of these, masscan and pnscan, have previously been used by the group, the introduction of zgrab is the first time that a GoLang tool has been seen to be included in TeamTNT’s arsenal.

Palo Alto Networks explained: “TeamTnT is a cloud-focused cryptojacking group which targets exposed Docker daemon APIs. Upon successful identification and exploitation of the Docker daemon API, TeamTnT will drop the new cryptojacking variant Black-T.”

Speaking to Infosecurity, Nathaniel Quist, senior threat researcher at Unit 42, Palo Alto Networks said: “As TeamTnT currently functions, they are very opportunistic and are indiscriminate in who they target. It seems they are more interested in exploiting services to steal as many computational processes as they can, rather than targeting specific sectors.”

He added: “COVID-19 pushed many organizations towards cloud infrastructure a bit faster, so it’s likely that we’ll see cloud focused-malware evolve to use more sophisticated techniques as a result, given the increased opportunity.”