Cybersecurity firm Unit 42 has uncovered a new version of cryptocurrency mining botnet called TeamTnT that steals passwords from a compromised computer, according to its Oct. 5 report.
In such a way, TeamTnT continues to diversify the capabilities of its malware beyond stealthy mining privacy coin Monero (XMR).
The bad actors behind the botnet utilize the equivalents of popular password-scraping tool Mimikatz.
Dubbed “Black-T,” the new variant of the botnet sends stolen passwords to a command and control (C2) node controlled by the TeamTnT hacking group:
Any identified passwords which were obtained through mimipenguins are then exfiltrated to a TeamTnT command and control (C2) node. This is the first time TeamTnT actors have been witnessed including this type of post-exploitation operation in their TTPs.
According to Unit 42, traces of other cryptojacking processes, such as the Crux worm miner, have been detected in the code of Black-T:
With the inclusion of these potential cryptojacking processes found within the Black-T malware, it would appear that these cryptojacking processes are known to the TeamTnT authors as competing for cloud processing resources. This would also indicate there are several cryptojacking processes currently unknown to defense teams and efforts should be taken to identify and build mitigation rules for these currently unknown cryptojacking processes.
The group’s C2 is believed to be hosted by a Germany-based company. It is worth noting that Black-T and other malicious scripts attributed to the group contain some phrases in the German language.
The code of the Monero-mining worm attributed to the TeamTnT group was first discovered back in May.
Researchers from Cado Security later found out that TeamTnT was also capable of stealing Amazon Web Services (AWS) credentials from compromised servers. Parts of the code of another cloudjacking worm Kinsing were found in the exploit.
Cryptojackers are becoming more sophisticated. The Stantinko botnet started implementing new obfuscating techniques for illegally mining XMR earlier this year.