Black-T: New Cryptojacking Variant from TeamTNT

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers discovered a new variant of cryptojacking malware named Black-T, authored by TeamTNT, a group known to target AWS credential files on compromised cloud systems and mine for Monero (XMR). Black-T follows the traditional TeamTNT tactics, techniques and procedures (TTPs) of targeting exposed Docker daemon APIs and performing scanning and cryptojacking operations on vulnerable systems of affected organizations. However, code within the Black-T malware sample gives evidence of a shift in TTPs for TeamTNT operations.

Of these new TTPs, most notable are the targeting and stopping of previously unknown cryptojacking worms (i.e. the Crux worm, ntpd miner, and a redis-backup miner). Also, TeamTNT has been implementing the use of memory password scraping operations via mimipy and mimipenguins, which are *NIX equivalents to the commonly used Windows-specific memory password scraper functionality of Mimikatz. Mimikatz is a tool capable of scraping plaintext passwords from Windows OS systems, and also has the capability to perform pass-the-hash and pass-the-token operations, allowing attackers to hijack user sessions. Any identified passwords which were obtained through mimipenguins are then exfiltrated to a TeamTNT command and control (C2) node. This is the first time TeamTNT actors have been witnessed including this type of post-exploitation operation in their TTPs.

The Black-T tool also has the capability to use three different network scanning tools to identify additional exposed Docker daemon APIs, within the local network of the compromised system and across any number of publicly accessible networks, to extend their cryptojacking operations. Both masscan and pnscan have been used before by TeamTNT actors. However, the addition of zgrab, a GoLang network scanner, marks the first time that a GoLang tool has been witnessed incorporated into TeamTNT’s TTPs. There was also an update to the masscan network scanner operation to include searching for TCP port 5555. While the exact purpose regarding adding port 5555 to the scanner is unknown, there have been documented cases where XMR cryptojacking is occurring on Android-based devices. This could indicate a new unknown target set for expanding TeamTNT cryptojacking operations. However, there is little evidence to support TeamTNT targeting Android devices.

Unit 42 researchers have discovered several German-language phrases inserted into multiple TeamTNT scripts, Black-T included. The very first line within the script following an ASCII art banner reads: verbose mode ist nur für euch 😉 damit ihr was zum gucken habt in der sandbox :-* which translates to “verbose mode is only for you 😉 so that you have something to watch in the sandbox.” There have been several other cases where German phrases have been used within TeamTNT scripts.

Palo Alto Networks Prisma Cloud can assist in securing cloud deployments against the threats posed by TeamTNT, by guiding organizations to better detect vulnerabilities or misconfigurations in cloud environment settings and infrastructure as code (IaC) templates prior to deploying production systems. Additionally, by installing the latest apps and threat definitions on Palo Alto Networks Next-Generation Firewall, network connections to known XMR public mining pools, or to malicious domains and IPs, can be prevented before the environment is compromised.

Black-T Dissection

The Black-T script is downloaded from the TeamTNT domain, hxxps://teamtnt[.]red/BLACK-T/SetUpTheBLACK-T, to the compromised cloud system that maintained an exposed Docker daemon API. Once downloaded to the compromised system, the script will perform the following actions.

First, there is a display of an ASCII art banner declaring that this variant is version 1 (see Figure 1). Then, the script performs a clean and system prep operation, in which the script will remove known cryptojacking malware already in place on the compromised system. Black-T specifically targets Kinsing malware, a competing cryptojacking process family. It is also important to note that TeamTNT authors have copied several pieces of malware code, both within previous TeamTNT tools as well as within this Black-T tool, to augment their own cryptojacking malware. Specifically, this copied code allows for the removal and evasion of Aliyun and Tencent cloud security software, and adds AWS credential-stealing features and masscan scanning functionality.

Disable Active XMR Miners

Unit 42 researchers also found evidence that the TeamTNT authors are now targeting other potential competing cryptojacking malware families, outside of the previously mentioned kinsing cryptojacking process. These competing cryptojacking processes include kswapd0, ntpd miner, redis-backup miner, auditd miner, migration miner, and finally, the Crux worm (see Figure 2) as well as the Crux worm miner (see Figure 3). With the inclusion of these potential cryptojacking processes found within the Black-T malware, it would appear that these cryptojacking processes are known to the TeamTNT authors as competing for cloud processing resources. This would also indicate there are several cryptojacking processes currently unknown to defense teams and efforts should be taken to identify and build mitigation rules for these currently unknown cryptojacking processes. There is an XMR public mining pool called cruxpool[.]com. However, no additional information is currently available to support if the Crux worm uses the public mining pool cruxpool, or if this is simply a clever naming convention used by cryptojacking operators.

Following the cleaning of any known cryptojacking processes, the Black-T malware will also perform a cleaning operation for any known xmrig process currently running on the compromised system. XMRig is a popular open-source process, which facilitates the computational operations needed to mine the XMR cryptocurrency.

Of note, TeamTNT makes use of customized processes within their scripts. These custom processes represent traditional *NIX processes, but have the prefix “tnt” added to the process name. For example, tntrecht is a customized process that is loaded into /usr/local/bin/tntrecht on the compromised system and is likely used to hijack and modify the permissions of legitimate *NIX processes to be used for TeamTNT operations. The modified legitimate processes are subsequently renamed with the “tnt” prefix – for instance, tntwget and tntcurl.

System Setup

Following the cleanup of the compromised system, the script will further set up the system environment by setting Path Variables: PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin, naming 8.8.4.4 and 8.8.8.8 as new DNS servers, and finally, flushing all established IP table rules using the command iptables -F.

The script will then check to see which *NIX package manager is installed on the compromised system: Advanced Package Tool (APT), Yellowdog Updater, Modified (YUM) or Alpine Linux package manager (APK). Regardless of the package manager type identified, the script will install masscan, along with libpcap to perform network packet traffic listening, pnscan (a network scanning tool, although within the current sample, pnscan functionality has been commented out), zgrab (a GoLang tool built for zmap), Docker and jq (a flexible command-line JSON processor). See the setup image in Figure 4.

Unit 42 researchers believe that TeamTNT actors are planning on building more sophisticated cryptojacking features into their tool sets – specifically for identifying vulnerable systems within various cloud environments. Never before has TeamTNT been known to use the network scanner software zmap. But TeamTNT is not only using zmap, they are using the little-known zgrab, which is a GoLang tool used to capture address banners. It is currently unclear how TeamTNT actors will use this data, but it is highly likely the actors are giving zgrab a trial run to test the scanner’s functionality for their operations, and may make adjustments accordingly. This idea is supported by the zgrab GitHub page, which states that, “zgrab tends to be very unstable, API's may break at any time, so be sure to vendor zgrab.” It is further supported by the fact that during the time of writing this blog, zmap had deprecated the original zgrab tool, which was used in Black-T, and has replaced it with a new version of zgrab, called zgrab2.

Unit 42 researchers do know that TeamTNT actors are placing a great deal of importance on scanning capabilities within the Black-T tool, as there are currently three different scanners built into this tool (masscan, pscan and zgrab).

Download Toolsets

The Black-T variant downloads two files, which execute directly into bash: hxxps://teamtnt[.]red/BLACK-T/beta and hxxps://teamtnt[.]red/BLACK-T/setup/bd.

Beta

Beta is used to make a new directory /.../ where the following files are compressed into two tar files named root.tar.gz:

• /root/.bash_history
• /root/.ssh/
• /etc/hosts
• /root/.docker/
• /root/.aws/
• /root/*.sh
• /home/*/.bash_history
• /home/*/.ssh/
• /home/*/*.sh

And, cron.tar.gz:

• /etc/cron*/
• /var/spool/cron/

These two files, upon compression, are then sent to the URL hxxps://teamtnt[.]red/only_for_stats/dup.php. It is important to note that TeamTNT actors are still targeting AWS credential and configuration files located on compromised AWS cloud systems. If compromised systems do contain AWS credentials, the TeamTNT actors could attempt to use these AWS credentials to expand their cryptojacking operations within the compromised system’s AWS environment. By using the AWS credentials obtained from the exposed and compromised Docker daemon system, TeamTNT actors could use this system as a pivot point to gain access to additional cloud systems and resources that use the same AWS credentials and which are hosted within the system’s larger AWS environment.

The beta script then downloads the file hxxps://teamtnt[.]red/x/pw, and also downloads the hxxps://teamtnt[.]red/BLACK-T/setup/bd, which is a duplicate from the Black-T download.

Finally, the beta script will set the service token for monitoring XMR mining operations. This token is set as abyofigfefda6c3itn9f3zkrmjfays31, and it will redownload the Black-T script, hxxps://teamtnt[.]red/BLACK-T/SetUpTheBLACK-T. This is likely done as a means of redundancy to provide actors with different types of operations to launch following the exploitation of a system.

pw

The script pw is very intriguing, as it performs post-exploitation operations of password scraping using mimipy and mimipenquin, which are *NIX tools adapted for use from the Windows tool Mimikatz. Upon uncovering any passwords residing in memory within the compromised system, the passwords are written to the file /var/tmp/.../output.txt, which is then uploaded to hxxps://teamtnt[.]red/only_for_stats/dup.php. See Figure 5.

bd

The script bd is used to download the XMR mining software relevant to the given compromised system. These downloaded files and the SHA256 values for the mining software have been reported on before during an operation targeting Weave Scope deployments.

Unit 42 researchers downloaded each of the software samples and believe these samples to be the same style of samples that have been previously reported (see Table 1).

Table 1. TeamTNT XMR mining software.

XMR Miner Setup

The Black-T script then downloads the known XMR miner software sbin_u, (SHA256: fae2f1399282508a4f01579ad617d9db939d0117e3b2fcfcc48ae4bef59540d9). This type of mining software has been linked before to TeamTNT. VirusTotal currently only lists the malware as an 8/62, but does label it as an Executable Linkable Format (ELF) CoinMiner (see Figure 7), mining software which operates on *NIX platform systems.

Finally, Black-T configures the XMR mining software to use the following XMR wallet address: 84xqqFNopNcG7T5AcVyv7LVyrBfQyTVGxMFEL2gsxQ92eNfu6xddkWabA3yKCJmfdaA9jEiCyFqfffKp1nQkgeq2Uu2dhB8. Figure 8 shows that as of the time of this writing, only five workers were reported producing 8.2 KH/s, which is down from a maximum of 25.05 KH/s on September 26, 2020. This particular XMR wallet has only managed to gather roughly US$10 as of September 29, 2020, likely due to the fact that this is a very new variant of cryptojacking software and hasn’t had much time to spread.

Worm Functionality

TeamTNT has long maintained its usage of worm-like techniques and has used masscan or pnscan to discover vulnerable systems. Black-T is no exception. However, there is a subtle difference between previously reported TeamTNT masscan operations and those present within Black-T. Specifically, in Black-T, we see the addition of a new scanning port, TCP 5555 (see Figure 9). While the exact purpose of adding port 5555 to the scanner is unknown, there have been documented cases where XMR cryptojacking is occurring on Android-based devices. This could indicate a new unknown target set for expanding TeamTNT cryptojacking operations. However, there is little evidence to support TeamTNT targeting Android devices.

Additionally, Black-T also performs scanning operations on a random CIDR 8 network range as it searches for exposed Docker API instances. This is also a new finding related to TeamTNT TTPs (see Figure 10). By expanding the scanning range of Black-T, TeamTNT actors are greatly expanding the scope of their targeting operations. Instead of only scanning the local network range of a compromised system, Black-T will begin scanning an entire CIDR 8 network range at random. For example, if Black-T selects 134.0.0.0/8, any address between 134.0.0.0 and 134.255.255.255 which contains an exposed Docker daemon API will be targeted and Black-T will attempt to exploit that system. Given enough time, every publicly available IP address will be scanned for an exposed Docker daemon API system. This has the potential to greatly increase the number of compromised systems owned by TeamTNT actors.

Conclusion

TeamTNT is a cloud-focused cryptojacking group which targets exposed Docker daemon APIs. Upon successful identification and exploitation of the Docker daemon API, TeamTNT will drop the new cryptojacking variant Black-T. This variant installs up to three different types of network scanners (masscan, pnscan and zgrab), which are used to scan for additional exposed Docker daemon APIs. Black-T will also perform memory scraping operations following the successful exploitation of the cloud system. This is performed via mimipy and mimipenguins scripts, which are downloaded to the compromised system. Any identified passwords are then exfiltrated to a TeamTNT C2 node. Similar to the stolen AWS credentials also captured by the TeamTNT actors, these credentials are likely to be used for additional operations targeted against the organization managing the compromised Docker API.

In order to protect cloud systems from TeamTNT’s Black-T cryptojacking malware, organizations should perform the following actions:

• Ensure that cloud environments are not exposing Docker daemon APIs or any other network service, which inadvertently exposes sensitive internal network services.
• Leverage Palo Alto Networks Prisma Cloud to secure cloud deployments.
• Install the latest apps and threat definitions on the Palo Alto Networks Next-Generation Firewall.

Indicators of Compromise

URLs

hxxps://teamtnt[.]red

hxxps://teamtnt[.]red/BLACK-T/beta

hxxps://teamtnt[.]red/BLACK-T/CleanUpThisBox

hxxps://teamtnt[.]red/BLACK-T/setup/bd

hxxps://teamtnt[.]red/BLACK-T/setup/docker-update

hxxps://teamtnt[.]red/BLACK-T/setup/hole

hxxps://teamtnt[.]red/BLACK-T/setup/kube

hxxps://teamtnt[.]red/BLACK-T/setup/tshd

hxxps://teamtnt[.]red/BLACK-T/SetUpTheBLACK-T

hxxps://teamtnt[.]red/BLACK-T/SystemMod

hxxps://teamtnt[.]red/ip_log/getip[.]php

hxxps://teamtnt[.]red/only_for_stats/dup[.]php

hxxps://teamtnt[.]red/x/getpwds[.]tar[.]gz

hxxps://teamtnt[.]red/x/pw

hxxps://iplogger[.]org/blahblahblah

Monero Mining Pool

MoneroOcean[.]stream

SHA-256 Hashes

Black-T related hashes

Mimipy and Mimipenguin Related Hashes

Monero Wallet

84xqqFNopNcG7T5AcVyv7LVyrBfQyTVGxMFEL2gsxQ92eNfu6xddkWabA3yKCJmfdaA9jEiCyFqfffKp1nQkgeq2Uu2dhB8