Black-T – New Cryptojacking Variant from TeamTnT
Unit 42 from Palo Alto networks discovered a new variant of crypto jacking malware dubbed Black-T, spawned by TeamTnT. The malware authors who have been known to target AWS credential files and mine Monero on compromised servers. Black-T follows a pattern that are traditional to TeamTnT, by targeting exposed Docker daemon API’s, then conducting cryptojacking on vulnerable systems. A new TTP (tactic, techniques and procedure) for Black-T is that of stopping previously unknown cryptojacking worms as well as memory password scrapping via mimipy and mimipenguins. Scraped passwords are exfiltrated to a Command and Control server (C2/CC server). A change in pattern for TeamTnT, post-exploitation operations.
Black-T has the capability of three different scanner tools to identify vulnerable Docker API’s within local networks and across public networks, to spread their operations. Masscan, pnscan and the newly added zgrab are the scanners, the latter being an addition to the TeamTnT TTP. German language phrases have been inserted into multiple scripts that TeamTnT is attributed for, including Black-T. As well as a taunting line “verbose mode is only for you 😉 so that you have something to watch in the sandbox.”
TeamTnT is focusing on cloud based cryptojacking, and as Docker daemon API’s are left exposed, this furthers the efforts of threat actors by exposing internal network services. Ensuring Docker daemon API are not exposed in cloud environments will protect you from Black-T. Firewall and cloud security solutions also add layers of security. For more visit the Palo Alto in-depth article on Black-T with IoT’s.
Sources: