The threat intelligence team of Palo Alto Networks, Unit 42, discovered a new one variation cryptojacking malware from the “TeamTnT” threat group. The malware, called Black-T, proves that TeamTNT has changed the tactics, techniques and procedures (TTPs) it follows in its "businesses". TeamTNT is known for its file targeting AWS credentials in violated systems cloud
While Unit 42 researchers observed that TeamTNT used traditional TTPs to target exposed Docker daemon APIs and to perform scanning and cryptojacking operations on vulnerable systems of affected organizations, now uses Black-T, with code of malware to show that it has improved possibilities.
These include targeting and stopping cryptojacking worms, such as the Crux worm, the ntpd miner and a redis-bakup miner, previously unknown in the landscape of threats. Another possibility is to use password removal functions access of memory via mimipy and mimipenguins, by recognizing passwords via mimipenguins that are transferred to the TeamTNT command and control node.
In addition, researchers have found that Black-T could extend cryptojacking functions TeamTNTs, using three different network scan tools to detect additional Docker daemon APIs on the local network of the compromised system and any number of publicly accessible networks. While two of them - masscan and pnscan- have been used in the past by the group, its introduction zgrab is the first time a GoLang tool appears to be included in TeamTNT's arsenal.
According to Palo Alto Networks, TeamTnT is a cloud-focused cryptojacking team targeting exposed Docker daemon APIs. With successful recognition and exploitation of Docker daemon API, TeamTnT spreads the new cryptojacking malware variant, Black-T.
Nathaniel Quist, a senior threat researcher at Unit 42, told Infosecurity that as TeamTnT is currently conducting operations, it is unclear exactly what its goals are. However, it seems to be more interested in exploiting services, aiming to steal as many computing processes as possible, rather than targeting specific areas. Quist added that his pandemic COVID-19 pushed many organizations to the cloud infrastructure in a short period of time, so it is likely that cloud-malware will evolve and use more sophisticated techniques in attacks of.