Cyber Attack

TeamTNT Hackers Attacking VPS Servers Running CentOS

TeamTNT is targeting CentOS VPS clouds with SSH brute force attacks. It has uploaded a malicious script that disables security, deletes logs, and modifies system files to kill existing miners, remove Docker containers, and redirect DNS to Google servers.

The script stealthily installs the Diamorphine rootkit to gain root privileges and maintain persistent control by modifying system settings to hide its presence, creating a backdoor user with root access, and erasing command history to cover its tracks.

Researchers discovered a new campaign targeting CentOS VPS cloud infrastructures.

The attackers use SSH brute force to gain initial access and upload a malicious script that checks for previous compromises by searching for logs from other mining activities.

Checking miner existence

It checks for a recent xmrig.log file, then disables the firewall and NMI watchdog and deletes the syslog folder by modifying the permissions of various system directories and the authorized_keys file.

The script searches for an Alibaba cloud daemon and removes it. Then, it disables security measures SELinux and AppArmor to kill cryptocurrency mining processes by matching signatures.

The threat actor uses a custom tool, “tntrecht,” to modify permissions and rename legitimate processes on the compromised host, while Docker is used to terminate and remove coin miner containers, and the DNS configuration is altered to use Google DNS servers.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

commands executed to remove any miner running via Docker

The script modifies crontab files to establish persistence, cleans up existing jobs, and implants malicious code to ensure continuous execution and system lockdown.

It creates a cron job to periodically download a copy of the payload from a specific C2 server, which ensures the payload remains accessible even if the source is compromised. 

The crontab file’s timestamp is intentionally old to mislead security analysts and make it harder to detect malicious activity.

The script verifies root privileges, then creates a directory and copies a base64-encoded payload into it. 

When extracted, the payload reveals three files: diamorphine.c, diamorphine. h, and Makefile.

These constitute the source code of a rootkit named Diamorphine, which is available on GitHub.

Commands used to deliver the encoded payload

The diamorphine rootkit, a Linux kernel module, grants attackers elevated privileges and stealthy execution capabilities.

This allows attackers to hide processes, files, and themselves and even allow users to become root, posing a significant security threat to compromised systems.

TeamTNT locked down the compromised system by using chattr to modify file attributes. This prevented the administrator from executing chatter or other recovery tools, effectively blocking any attempts to reboot, power off, or regain access to the system.

According to Group IB, the attacker creates a new user with root privileges, adds it to the sudoer group, and configures SSH to allow access using a public key, which provides persistent access to the system.

The script modifies SSH and firewall settings to enhance security and stealth, which changes the SSH port to 11222, enables public key authentication, and opens the firewall for inbound connections on port 11222. 

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Aman Mishra

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

22 hours ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago