Black-T

Black-T is a threatening implant that tries to take over infected systems and then turn them into zombies used to mine for cryptocurrencies like Monero (XMR.) However, the Black-T implant appears to feature more modules than the plain crypto miner – it also runs legitimate password recovery tools for Windows (Mimikatz) and UNIX-based systems. This is one of the few cryptominers that pack an infostealing module, and this is one of the main reasons why the Black-T malware is considered a severe threat.

The malware's development is attributed to the TeamTNT Criminal Group, a cybercrime organization specializing in crypto-mining operations. TeamTNT's past campaigns focused on infecting vulnerable Docker servers, but the Black-T implant is expanding its reach by targeting other systems too. The latest iteration of the malware features the aforementioned password-collecting tools, as well as a new network scanner that is being used to scan the Internet for potentially vulnerable targets that Black-T could infect next.

Black-T's rich functionality shows that the TeamTNT Criminal Group is learning how to run more optimized campaigns quickly, which would allow them to expand their operations in the future. The inclusion of a third port-scanning utility may enable Black-T to discover other servers that could be compromised and then added to TeamTNT's ever-growing botnet.

The password-collecting module of Black-T appears to focus on collecting credentials used by Amazon Web Services (AWS) – this is not surprising considering that these servers would enable the attackers to run more instances of the crypto-miner, as well as the network-scanning utilities. Keeping servers secure from Black-T requires the use of strong passwords, as well as up-to-date anti-virus software.