Black-T

Black-T Description

Black-T is a Trojan malware threat observed to be used as part of the arsenal of a hacker group known as TeamTNT. Initially, TeamTNT's main activity was the distribution of cryptocurrency miners for the Monero cryptocurrency. The hackers scanned the net for Docker installations with insufficient security and compromised them by delivering a crypto-miner payload.

However, cybersecurity researchers have noticed that the TeamTNT group has been diversifying its range of operations and expanding and modifying its malware toolkit. First, the hackers gave their crypto-jacking worm the ability to collect plaintext Amazon Web Services (AWS) credentials and config files from the compromised Docker or Kubernetes systems. Then, the cybercriminal group was observed exploiting a legitimate open-source tool called Weave Scope. The tool allowed the hackers to take complete control over the victim's cloud infrastructure, as well as map running processes, containers and hosts on compromised servers.

Collecting Passwords through Memory Scraping

The latest version of the TeamTNT's malware tool, called Black-T by the researchers at Unit42 was analyzed, and it boasted an even wider array of threatening functions. By utilizing two-open source tools - mimipy and mimipenguin, which are similar in concept to the password-collecting tool Mimikatz, Black-T is targeting *NIX computers. The goal is to scrape the memory of the compromised systems for any plaintext passwords that are then sent to the Command-and-Control (C2, C&C) infrastructure. Similar to the AWS credential collecting, TeamTNT is likely to use the passwords for additional threatening activities against the compromised victim.

Black-T has another addition to its repertoire, though, in the form of a GoLang network scanner called zgrab, bringing the total number of scanners to three. The other two are pnscan and masscan. A small clue that TeamTNT might be looking at making Android devices one of their targets is that Black-T's masscan was updated and now targets the 5555 TCP port.