Main navigation

Monero Mining Botnet Now Capable of Stealing Your Passwords

Mon, 10/05/2020 - 17:45
article image
Alex Dovbnya
Researchers uncover a password-stealing capability of crypto mining worm TeamTnT
Monero Mining Botnet Now Capable of Stealing Your Passwords
Cover image via
Read U.TODAY on
Google News

Cybersecurity firm Unit 42 has uncovered a new version of cryptocurrency mining botnet called TeamTnT that steals passwords from a compromised computer, according to its Oct. 5 report.

In such a way, TeamTnT continues to diversify the capabilities of its malware beyond stealthy mining privacy coin Monero (XMR).  

The bad actors behind the botnet utilize the equivalents of popular password-scraping tool Mimikatz.

Dubbed “Black-T,” the new variant of the botnet sends stolen passwords to a command and control (C2) node controlled by the TeamTnT hacking group:

Any identified passwords which were obtained through mimipenguins are then exfiltrated to a TeamTnT command and control (C2) node. This is the first time TeamTnT actors have been witnessed including this type of post-exploitation operation in their TTPs.  

According to Unit 42, traces of other cryptojacking processes, such as the Crux worm miner, have been detected in the code of Black-T:

With the inclusion of these potential cryptojacking processes found within the Black-T malware, it would appear that these cryptojacking processes are known to the TeamTnT authors as competing for cloud processing resources. This would also indicate there are several cryptojacking processes currently unknown to defense teams and efforts should be taken to identify and build mitigation rules for these currently unknown cryptojacking processes.  

The group’s C2 is believed to be hosted by a Germany-based company. It is worth noting that Black-T and other malicious scripts attributed to the group contain some phrases in the German language.

Adobe Flash Player Gets New Life as Tool for Cryptojacking

The code of the Monero-mining worm attributed to the TeamTnT group was first discovered back in May.  

Researchers from Cado Security later found out that TeamTnT was also capable of stealing Amazon Web Services (AWS) credentials from compromised servers. Parts of the code of another cloudjacking worm Kinsing were found in the exploit.

Cryptojackers are becoming more sophisticated. As reported by U.Today, the Stantinko botnet started implementing new obfuscating techniques for illegally mining XMR earlier this year. 

article image
About the author

Alex Dovbnya (aka AlexMorris) is a cryptocurrency expert, trader and journalist with extensive experience of covering everything related to the burgeoning industry — from price analysis to Blockchain disruption. Alex authored more than 1,000 stories for U.Today, CryptoComes and other fintech media outlets. He’s particularly interested in regulatory trends around the globe that are shaping the future of digital assets, can be contacted at