TeamTNT is targeting CentOS VPS clouds with SSH brute force attacks. It has uploaded a malicious script that disables security, deletes logs, and modifies system files to kill existing miners, remove Docker containers, and redirect DNS to Google servers.
The script stealthily installs the Diamorphine rootkit to gain root privileges and maintain persistent control by modifying system settings to hide its presence, creating a backdoor user with root access, and erasing command history to cover its tracks.
Researchers discovered a new campaign targeting CentOS VPS cloud infrastructures.
The attackers use SSH brute force to gain initial access and upload a malicious script that checks for previous compromises by searching for logs from other mining activities.
It checks for a recent xmrig.log file, then disables the firewall and NMI watchdog and deletes the syslog folder by modifying the permissions of various system directories and the authorized_keys file.
The script searches for an Alibaba cloud daemon and removes it. Then, it disables security measures SELinux and AppArmor to kill cryptocurrency mining processes by matching signatures.
The threat actor uses a custom tool, “tntrecht,” to modify permissions and rename legitimate processes on the compromised host, while Docker is used to terminate and remove coin miner containers, and the DNS configuration is altered to use Google DNS servers.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
The script modifies crontab files to establish persistence, cleans up existing jobs, and implants malicious code to ensure continuous execution and system lockdown.
It creates a cron job to periodically download a copy of the payload from a specific C2 server, which ensures the payload remains accessible even if the source is compromised.
The crontab file’s timestamp is intentionally old to mislead security analysts and make it harder to detect malicious activity.
The script verifies root privileges, then creates a directory and copies a base64-encoded payload into it.
When extracted, the payload reveals three files: diamorphine.c, diamorphine. h, and Makefile.
These constitute the source code of a rootkit named Diamorphine, which is available on GitHub.
The diamorphine rootkit, a Linux kernel module, grants attackers elevated privileges and stealthy execution capabilities.
This allows attackers to hide processes, files, and themselves and even allow users to become root, posing a significant security threat to compromised systems.
TeamTNT locked down the compromised system by using chattr to modify file attributes. This prevented the administrator from executing chatter or other recovery tools, effectively blocking any attempts to reboot, power off, or regain access to the system.
According to Group IB, the attacker creates a new user with root privileges, adds it to the sudoer group, and configures SSH to allow access using a public key, which provides persistent access to the system.
The script modifies SSH and firewall settings to enhance security and stealth, which changes the SSH port to 11222, enables public key authentication, and opens the firewall for inbound connections on port 11222.
Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free