Skip links

AT&T Alien Labs warns of ‘zero or low detection’ for TeamTNT’s latest malware bundle

AT&T’s Alien Labs security division has sounded the alarm on a malware campaign from TeamTNT which, it claims, has gone almost entirely undetected by anti-virus systems – and which is turning target devices into cryptocurrency miners.

Described by Alien Labs researcher Ofer Caspi as “one of the most active threat groups since 2020,” TeamTNT is known for its use – and, indeed, abuse – of open-source security tools for everything from finding vulnerable targets to dropping remote-control shells.

In June this year Palo Alto Networks’ Unit 42 discovered a software repository dubbed Chimaera, which it said “highlights the expanding scope of TeamTNT operations within cloud environments as well as a target set for current and future operations.”

It is incredibly difficult to police how [open source tools] are used, as they operate without regulatory oversight and are totally reliant on disparate community rules

Now, AT&T’s Alien Labs has shone more light on Chimaera – and says that not only has it been in active use since July but that it is “responsible for thousands of infections globally” across Windows, Linux, AWS, Docker, and Kubernetes targets – and all while avoiding detection from anti-virus and anti-malware tools.

“In July 2021, TeamTNT began running the Chimaera campaign using new tools,” Caspi explained. “As of the publishing of this report, many of the samples analysed by Alien Labs have zero or low detection on VirusTotal” – a tool now owned by Google which scans submitted files against a phalanx of competing antivirus engines, providing a quick overview of detection coverage across a range of commercial products.

“In this case, most of the used files that are placed on disk at some point lack a clear malicious purpose by themselves,” Caspi told The Register of the reason the malware could go undetected for so long. “The malicious processes injected into memory without touching the disk are harder to identify if they don’t share indicators with previous malicious activity or perform any clearly malevolent activity.”

A key aspect of the Chimaera toolset is the use of Lazagne, an open-source utility designed with one purpose in mind: extracting credentials from popular browsers. Another tool attempts to locate and exfiltrate credentials for Amazon Web Services (AWS), while an IRC bot acts as a command and control server.

“The developers of open-source tools who do not want malware authors to use them usually do as much as they can to avoid it,” Caspi told us. “However, in this case, the author boasts about the inclusion of his tool in the Pupy RAT [Remote Access Trojan], as well as how it can be run with defence evasion techniques and to avoid dropping malicious files on disk.

“In this case, the tool Lazagne, conceived to retrieve all the passwords stored in a computer, is rarely going to be run with benign intentions. Therefore, it should have been detected at least as a hacking tool.”

“The issue of open-source tool abuse is a thorny one,” application security researcher Sean Wright told The Register. “On the one hand, you have freely openly available tools which are vital to the work of many security teams. On the other, a piece of software which can be adapted and used in even the most advanced attack chain with the potential for great damage.

“It is incredibly difficult to police how they are used, as they operate without regulatory oversight and are totally reliant on disparate community rules. The only way of controlling them would be to limit access, but on what grounds would permissions be granted? In terms of antivirus detections, many do trigger on such tools. However, given their open source nature, it doesn’t take an attacker much to obfuscate.”

Credential harvesting isn’t TeamTNT’s primary goal; instead, the group focuses on mining Monero, a privacy-focused cryptocurrency, on victim hardware. “The main objective of TeamTNT has always been to mine cryptocurrencies,” Caspi explained. “For this purpose, they install miners in any infected machines as well as exfiltrate credentials to command & control servers, in case they can leverage such credentials somehow.

“Monero is the most popular cryptocurrency in terms of the privacy offered, since the owner of a wallet cannot be tracked. In cybercrime, anonymity is more valued than profits – it’s probably for that reason Monero is being heavily used for cryptominers.”

“Defenders can be proactive in hardening their systems,” Caspi’s report concluded. “For example, due to the recent high profile attacks on Kubernetes – including those executed by TeamTNT – the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published ‘Kubernetes Hardening Guidance‘ in August of this year. Defenders should reference this guide to understand how to better defend against attacks like those used by TeamTNT.

“Keep your software with the latest security updates. Keep minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall. Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.”

The full report is available on the Alien Labs blog now. ®