Threat actors continuously updating their code with new threat vectors and obfuscation techniques is nothing new. However, a surge in malware targeting particular device groups reveals much about the shifting paradigm.
TeamTNT reinforces Black-T
TeamTNT is known to exfiltrate AWS credential files on compromised cloud systems and mine for Monero (XMR).
- Unit 42 researchers found a new variant of cryptojacking malware named Black-T, the brainchild of the TeamTNT cybercrime group, boosting its capabilities against Linux systems.
- The added potential includes memory password scraping via mimipy (works on Windows/Linux/OSX) and mimipenguin (Linux desktop)—two open-source Mimikatz equivalents targeting *NIX desktops.
IPStorm prepares for thunders
First uncovered in May 2019, the IPStorm botnet has been targeting Windows systems until now. Its size has quadrupled from around 3,000 systems in May 2019 to more than 13,500 devices by September end.
- In a recent development, experts at Intezer revealed that IPStorm now boasts of newer versions targeting Android, Linux, and Mac devices.
- Linux and Mac devices are infected after the gang performs a brute-force technique against SSH services.
- However, the Android systems are infected when the malware scans the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.
FinSpy’s malware spin
As exposed by Amnesty International, a new surveillance campaign was reported targeting Egyptian civil society organizations.
- FinSpy, also known as FinFisher, used new variants that target macOS and Linux users. The spyware already had tools for Windows, iOS, and Android users.
- Besides keylogging, call interception, and screen recording, the malware’s additional capabilities included stealing emails by installing a malicious add-on to Apple Main and Thunderbird and collecting Wi-Fi network information.
Cybercriminals unfurling tools targeting Linux and Mac devices put a dent in the broadly held opinion that those operating systems are more secure and not susceptible to malicious code, unlike others. Experts recommend checking network settings and avoiding using unnecessary online applications to ensure safety. Other useful tips include configuring the firewall, filtering traffic, and protecting locally stored SSH keys used for network services.