One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2251665 |
| Date de publication | 2021-01-27 11:00:00 (vue: 2021-01-27 11:05:13) |
| Titre | TeamTNT delivers malware with new detection evasion tool |
| Texte |
Executive Summary
AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.
The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.
Background
AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.
Analysis
The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.
The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as "hide a process under Linux using the ld preloader.'' Preloading allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it.
The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide.
The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot (figure 1):
Figure 1. base64 encoded script, via Alien Labs analysis.
Upon binary execution, the bash script will run through a multitude of tasks. Specifically, the script will:
Modify the network DNS configuration.
Set persistence through systemd.
Drop and activate the new tool as service.
Download the latest IRC bot configuration.
Clear evidence of activities to complicate potential defender actions.
After decoding, we can observe the bash script functionality and how some malicious activity occurs before the shared library is created (figure 2):
Figure 2. Decoded bash script, via Alien Labs analysis.
The new tool is first dropped as a hidden tar file on disk, the script decompresses it, writes it to '/usr/local/lib/systemhealt.so', and then adds it preload via '/etc/ld.so.preload'. This will be used by the system to preload the file before other system libraries, allowing the attacker to override some common functions (figure 3/4).
Figure 3/4. bash script features, via Alien Labs analysis.
The main purpose of the tool is to hide the TeamTNT bot from process viewer tools, which use the file '/usr/bin/sbin' as you can s |
| Envoyé | Oui |
| Condensat | $code1 $s1 $s2 $s3 $s4 '/etc/ld '/usr/local/lib/systemhealt 'defense 'ld 'process /proc 02cde4109a12acb499953aa8c79917455b9f49837c7c1dbb13cbcf67e86a1555 0x457f 2014 3/4 73dec430b98ade79485f76d405c7a9b325df7492b4f97985499a46701553e34a `lsof` `ps` about acting actions activate activities activity acts added additional adds adversary after again agent aiding alien allowing allows also analysis and another any appendix are arrives associated at&t attack attacker author available b666cd08b065132235303727f2d77997a30355ae0e5b557cd08d41c9ade7622d background base64 based bash basic been before being between binary blog blog is bot but can capabilities case cb013be7b5269c035495222198ec708c026c8db838031af60fd0bd984f34226f clean cleanup clear cmdline coinminer coinminers com commandline common complicate conclusion condition: configuration consider contact continue copied created credential cryptocurrency cryptominer cryptomining current custom cwd decoded decoding decompresses defender defenders defense deleting delivers deploy deregistertmclonetable described description detection detections detects directory disk dlsym dns docker domain download downloader drop dropped dummy effectively encoded env environment environments envs escalation' evade evasion event evidence execution executive exfil exfiltration expands exports exposed ezuri false features feedback figure file filesize final find first following found frame from function functionality functions github golang group hadglider has hidden hide hideproc hideprocess history: host how hunting identified ids implements include indicator indicators information infrastructure injection' intelligence interval iocs irc ircbot itm join kaiserfranz key labs labs™ labs@alienvault latest level libprocesshider libraries library linux list load loaded loader located main malicious malware match may memory meta: methods mining modify monitor multitude name named needed network new note noteworthy objective observe observed occurs once one open options other otx out override own packed path payload persistence pid platform please potential preload preload' preload'; preloader preloading previously privilege process processes programs provide pulse purpose purposes query read readdir readdir64 readers related remove removed report reported repositories research return rule rules run running same scope script see select server service set setup sha256 share shared signature signatures since so' some source specifically spread step strings: such summary suricata suspicious system systemd systemhealt tactic tar targeting tasks teamtnt teantnt technical technique theft then threat through tool tools traces trojan trojanspy tune type uint16 under upon usage use used using value variable version viewer welcomes when where which will will: within working worm writes written yara ziggy |
| Tags | Malware Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.