The TeamTNT cybercriminal group has recently updated its malicious program with cryptomainer features. The network worm can now steal passwords from victims and more easily spread to other devices with an additional network scanner.
TeamTNT is best known for its attacks on Docker installations, which are later used to extract Monero digital currency (XMR). However, it seems that the criminals did not find enough minting, so they decided to steal the accounts of the victims in addition.
As explained by the researchers from Unit 42, the attackers collect passwords using the utilities mimipy.
These two tools are open-source analogues of Mimikatz.
The malware developed by the group got the name Black-T, now it can collect passwords as plain text, which are usually in the compromised memory of the attacked computer.
All collected data is sent to a server controlled by cybercriminals.
“Stolen data is likely to be used in future operations. In other words, to attack organizations managing the compromised Docker API”,
– written by experts.