TeamTNT Hackers Attacking VPS Servers Running CentOS

TeamTNT is targeting CentOS VPS clouds with SSH brute force attacks. It has uploaded a malicious script that disables security, deletes logs, and modifies system files to kill existing miners, remove Docker containers, and redirect DNS to Google servers.

The script stealthily installs the Diamorphine rootkit to gain root privileges and maintain persistent control by modifying system settings to hide its presence, creating a backdoor user with root access, and erasing command history to cover its tracks.

Researchers discovered a new campaign targeting CentOS VPS cloud infrastructures.

The attackers use SSH brute force to gain initial access and upload a malicious script that checks for previous compromises by searching for logs from other mining activities.

Checking miner existence

It checks for a recent xmrig.log file, then disables the firewall and NMI watchdog and deletes the syslog folder by modifying the permissions of various system directories and the authorized_keys file.

The script searches for an Alibaba cloud daemon and removes it. Then, it disables security measures SELinux and AppArmor to kill cryptocurrency mining processes by matching signatures.

The threat actor uses a custom tool, “tntrecht,” to modify permissions and rename legitimate processes on the compromised host, while Docker is used to terminate and remove coin miner containers, and the DNS configuration is altered to use Google DNS servers.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

commands executed to remove any miner running via Docker

The script modifies crontab files to establish persistence, cleans up existing jobs, and implants malicious code to ensure continuous execution and system lockdown.

It creates a cron job to periodically download a copy of the payload from a specific C2 server, which ensures the payload remains accessible even if the source is compromised. 

The crontab file’s timestamp is intentionally old to mislead security analysts and make it harder to detect malicious activity.

The script verifies root privileges, then creates a directory and copies a base64-encoded payload into it. 

When extracted, the payload reveals three files: diamorphine.c, diamorphine. h, and Makefile.

These constitute the source code of a rootkit named Diamorphine, which is available on GitHub.

Commands used to deliver the encoded payload

The diamorphine rootkit, a Linux kernel module, grants attackers elevated privileges and stealthy execution capabilities.

This allows attackers to hide processes, files, and themselves and even allow users to become root, posing a significant security threat to compromised systems.

TeamTNT locked down the compromised system by using chattr to modify file attributes. This prevented the administrator from executing chatter or other recovery tools, effectively blocking any attempts to reboot, power off, or regain access to the system.

According to Group IB, the attacker creates a new user with root privileges, adds it to the sudoer group, and configures SSH to allow access using a public key, which provides persistent access to the system.

The script modifies SSH and firewall settings to enhance security and stealth, which changes the SSH port to 11222, enables public key authentication, and opens the firewall for inbound connections on port 11222. 

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago