September 19, 2024 at 10:30AM
A recent report by Group-IB researchers reveals that the cryptojacking operation TeamTNT has reappeared, targeting Virtual Private Server infrastructures using CentOS. The attack involves SSH brute force, malicious script uploads, and deploying the Diamorphine rootkit for concealing processes and establishing remote access. TeamTNT, active since 2019, has unveiled a new campaign disabling security features and executing persistent remote access. For more, follow on Twitter and LinkedIn.
Key takeaways from the meeting notes include:
– The resurgence of the cryptojacking operation known as TeamTNT targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.
– The initial access was gained through a Secure Shell (SSH) brute force attack, enabling the threat actor to upload a malicious script that disabled security features, deleted logs, terminated cryptocurrency mining processes, and inhibited recovery efforts.
– The deployment of the Diamorphine rootkit was used to conceal malicious processes and establish persistent remote access to compromised hosts.
– The campaign has been attributed to TeamTNT with moderate confidence, citing similarities in observed tactics, techniques, and procedures (TTPs).
– The latest activity linked to TeamTNT involves a shell script that disables device security, seeks to remove traces left by other miners, terminates containerized processes, and establishes persistence through cron jobs and backdoor accounts.
– The script implements various changes within the SSH and firewall service configuration to lock down the system and hide its activities.
Let me know if you need any further information.