Black-T Malware: A Cryptojacking Worm That Can Steal Passwords

The developers behind Monero-mining malware Black-T recently upgraded their virus with crypto-mining and password-stealing capabilities. The cybercrime group TeamTnT, who is behind Black-T, has also made their malware more potent by adding worm functionality. 

Security researchers at PoloAuto Unit 42 report that the threat group has shifted tactics, using the mimipy and mimipenguin functions of the open-source tool Mimikatz, to scrape passwords from memory and hijack user sessions.

Additionally, the Black-T malware was also upgraded with zgrab and GoLang network scanner tools that identify other exposed Docker daemons API's within the local network. This upgrade gives Black-T worm-like capabilities, which allow the threat to expand its cryptojacking operations by jumping across any number of publicly accessible networks.

A masscan network scanner that searches for TCP port 5555 was also incorporated in the malware's toolset. While the exact reason for adding this functionality is unclear, its incorporation could indicate that TeamTnT intends to expand their target list. Researchers also note that XMR cryptojacking on Android devices has occurred in the past. However, there is no other evidence that TeamTnT plans to expand their operations by targeting mobile devices.

"[T]here have been documented cases where XMR cryptojacking is occurring on Android-based devices," researchers say, adding that "there is little evidence to support TeamTnT targeting Android devices."

Infection chain

As expected from TeamTnT, their new malware attacks identify and exploit Docker daemon APIs. Upon infiltration, the group will drop their upgraded Black-T malware, which will attempt to spread on the network via other exposed Docker daemon APIs.

The cryptojacking malware will also perform memory scraping operations that collect any plaintext passwords saved in the host devices' memory. According to the researchers, Black-T will exfiltrate any identified passwords to a TeamTnT-controlled command and control server.

Evolution of TeamTnT's Attack tactics

TeamTnT's DDoS and cryptomining botnet was first detected by MalwareHunterTeam in early May 2020. The threat was later analyzed by Trend Micro, who discovered its Docker-targeting installation.

In August 2020, Cado Security researchers spotted the malware to use a new AWS credential-stealing feature, becoming the first cryptojacking malware with this capability.

Last month, researchers at Interzer observed TeamTnT using the legitimate open-source tool Weave Scope to map and monitor the containers and running processes on the host devices, as well as take control of installed apps.

TeamTnT's malware used all these tactics, techniques, and procedures (TTPs) to deploy itself in new containers and install a malicious payload binary that mimes Monero cryptocurrency.

With the inclusion of a credential-scraping feature in the latest Black-T variant, the threat group now operates the first cryptojacking worm capable of exfiltrating such sensitive information.