Cryptominer worm learned to steal passwords from Linux computers

Thursday, October 8, 2020, 20:22 GMT

The creators of the Black-T worm and botnet have been expanding the features of their malware over the span of many months to make as many devices vulnerable to it as possible.

New picks for worms

The Black-T crypto-mining worm has acquired network scanning tools for more efficient distribution and has learned to steal passwords from Linux systems. This worm was historically used mainly for attacks on networks with virtual Docker nodes installed on them and naturally illegal subsequent generation of the Monero cryptocurrency (XMR).

The creators have now fitted their malware with methods to extract RAM passwords. Two open source Mimikatz module alternatives are used to do this-mimipy (for Windows , Linux and macOS) and mimipenguin (for Linux only). First of all, it intercepts those passwords entered in plaintext.

The developers have fitted the Black-T with a zgrab network scanner on top of that. This is, however, the third scanner the worm is armed with. Researchers previously noticed pnscan and masscan on it, and masscan was modified in the latest release to aim open TCP port 5555. This may mean an immediate launch of attacks on Android systems, according to Unit 42 experts.

And all for Monero

In recent months, the Black-T developers-the TeamTNT community-have been incredibly successful. In May 2020, the botnet generated by their cryptominer was identified. The worm acquired the feature of stealing access credentials to resources in the AWS cloud in August (nothing like this was achieved with cryptominers before that).

TeamTNT attacks were noted by Intezer experts in September using WeaveScope, a legal platform for inventorying active operations, hosts, and containers on infected servers. To take care of built programs, this method was also used.

“Apparently, the creators of the worm are highly ambitious: they are evidently interested not just in optimizing benefit, that is, producing the greatest possible amount of units of the Monero cryptocurrency, but also in the greatest contagiousness of their malware.

According to Alexey Vodyasov, CTO of SEC Consult Services, this is not the first known case of adding features covering an increasing amount of data that malware steals. — Maybe the most promising way to deal with this will be to deploy applications on all servers and virtualization environments that detects and prevents the operation of Monero-associated operations. The generation of cryptocurrencies on systems that were not constructed for this purpose is, in most cases, of a purely criminal nature. And to discourage contamination, don’t forget about such steps as shutting unauthorized connections to the Docker API.