This Linux malware uses open source software to hide its malicious processes

Lock
(Image credit: Shutterstock)

Security researchers have discovered that a notorious threat group has upgraded its arsenal with a new tool that enable its malware to avoid detection in Linux

Researchers at AT&T’s Alien Labs report that the TeamTNT cybercrime group, known for its break-ins into popular cloud instances for mining cryptocurrency, is now using a detection-evasion tool that is based on the open source libprocesshider library.

The libprocesshider library describes itself as a means to “hide a process under Linux.”

Pulling a Keyser Soze

TeamTNT is infamous for targeting misconfigured Docker instances with crypto mining malware, and has recently upgraded to target Kubernetes installations, and also stealing AWS credentials.

According to reports, the group had recently shifted tactics by updating its Linux cryptojacking malware named Black-T to also harvest user credentials from infected servers. It has now gone one step further and added the detection-evasion capabilities to the Black-T malware.

The researchers report that the new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or through its Internet Relay Chat (IRC) bot. Once delivered it then masks the malicious binary from process information tools such as ps and lsof.

The AT&T researchers note that TeamTNT is also known for deploying updates to its cryptomining malware with the previous one being a new memory loader based on Ezuri and written in GOlang.

“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” suggest the researchers.

Via: BleepingComputer

TOPICS
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game