Security experts at AT&T Alien Labs uncovered a new detection evasion tool leveraged by threat actor group TeamTNT. Dubbed “Libprocesshider,” the new tool is copied from open-source repositories. It helps cybercriminals hide their malware and malicious process from process information programs like “ps” and “lsof,” acting as a defense evasion technique. The purpose of Libprocesshider is to hide the TeamTNT bot from process viewer tools and remove malware traces by deleting the bash history.
“The tool implements the function readdir(), which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide. The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot,” AT&T said.
- Modify the network DNS configuration
- Set persistence through systemd
- Drop and activate the new tool as a service
- Download the latest IRC bot configuration
- Clear evidence of activities to complicate potential defender actions
How Libprocesshider Penetrates?
- First, Libprocesshider is dropped as a hidden tar file on disk.
- The script decompresses it and writes it to ‘/usr/local/lib/systemhealt.so’ and adds it to preload via ‘/etc/ld.so.preload.’
- This is then used by the system to preload the file before other system libraries, allowing the attacker to override common scanning operations.
“Through the use of Libprocesshider, TeamTNT once again expands their capabilities based on the available open-source tools. While the new functionality of Libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” AT&T added.