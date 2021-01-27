- Advertisement -

AT&T Alien Labs Security Researchers they have revealed that TeamTNT hackers use an open source tool that evades detection of malware in Linux. They also indicate that this malicious software targets “the Docker infrastructure exposed for cryptocurrency mining and credential theft.”

TeamTNT has been using “a new memory loader based on Ezuri and written in GOlang”. However, it has now added another tool to its list of capabilities, AT&T Alien Labs reports.

The report notes that the tool used to bypass Linux security is known as libprocesshide, and that it is also located on Github. Its function is to “hide a process in Linux using the ld preloader”.

Experts comment that libprocesshide is quite an effective evasion technique, because it hides the malicious process of information programs in ps and lsof files.

How does this Linux malware behave?

Malicious software, once inside the system, is executed from a bash script “encoded in base64 hidden in the binary or ircbot cryptominer TeamTNT”. Basically what this tool does is hide itself on the disk, unzip the script, and overwrite it on “/usr/local/lib/systemhealt.so”, and then add it using ‘”etc / ld.so.preload”.

In simpler words, this tool will give the attacker the power to override some common functions, such as:

Modify the DNS settings of the network.

Set persistence through systemd.

Drop and activate the new tool as a service.

Download the latest bot configuration from IRC.

Complicating actions of defenders.

In effect, it allows the TeamTNT group of cybercriminals to expand their capabilities based on open source tools available on Github. This libprocesshider-based Linux malware is extremely careful, as it is not only used to evade malware detection, it can also be used at the host level.

.