Monero (XMR) Malware Black-T Can Now Steal User Credentials

Unit 42 researchers have found a new modification of a cryptojacking malware named Black-T that mine privacy coin Monero (XMR). The report was published on October 5, 2020. 

The prohibited miner not only provides sensitive data back to hackers but even shuts down other mining malware on an infected device.

Old Monero Malware Is Back With A New Update

Cryptojacking is an increasing threat among both retail and business networks, as previously reported by BTC Manager. Hackers have renewed “Black-T,” an old Monero malware, to steal personally identifiable information and user credentials and seize any other illegal miners on an infected computer, according to a report by cybersecurity company Unit 42. It turns out, this new-and-improved malware operation was never seen before. 

According to the report, Black-T mimics the conventional TeamTnT tactics, methods, and styles (TTPs) of targeting exposed Docker daemon APIs and implementing scanning and cryptojacking acts on vulnerable machines of affected companies. Still, code within the Black-T malware gives an indication of a change in TTPs for TeamTnT services.

How Black-T Works?

Black-T utilizes a hacking tool named “Mimikatz” to rub plaintext passwords from Windows OS machines. The tool also enables hackers to seize user sessions, such as suspending computer usage when a user is working on the machine.

After seizing any recognized cryptojacking methods, the Black-T malware will also conduct a sweeping action for any recognized xmrig method currently operating on the infected machine. XMRig is a successful open-source method, which promotes the computational processes required to mine the XMR cryptocurrency.

The report further stated that Unit 42 researchers consider that TeamTnT actors intend to develop more advanced cryptojacking mechanisms into their toolsets, particularly for distinguishing vulnerable machines within different cloud environments. 

The report further stated that security against such attacks is comparatively straightforward. Users must make sure that no files with highly delicate data are revealed to the internet and that threat software is always up to date and from a reputed company.

Additionally, Black-T also executes scanning actions on any CIDR 8 network series as it hunts for vulnerable Docker API instances. This is also a new discovery linked to TeamTnT TTPs. Another important thing to remember about this malware is that it can also stop other mining malware on vulnerable machines and install its own.

Source: Read Full Article