In January 2021, Palo Alto Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access.

Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, Unit 42 researchers believe this is a new campaign from TeamTNT. Researchers refer to this new malware as Hildegard, the username of the tmate account that the malware used.

According to Unit 42 researchers, TeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (CetusBlack-T and TeamTNT DDoS). However, this is the first time they found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT’s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. In particular, the researchers found that TeamTNT’s Hildegard malware:

  • Uses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.
  • Uses a known Linux process name (bioset) to disguise the malicious process.
  • Uses a library injection technique based on LD_PRELOAD to hide the malicious processes.
  • Encrypts the malicious payload inside a binary to make automated static analysis more difficult.

Unit 42 researchers believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure. At the time of writing, most of Hildegard’s infrastructure has been online for only a month. The C2 domain borg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the wallet.

There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage, say the researchers. Considering this malware’s capabilities and target environments, the researchers believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.

Tal Morgenstern, Co-Founder and CPO at Vulcan Cyber, a remediation intelligence provider, says, “In this complex attack, threat actors are leveraging a combination of Kubernetes misconfigurations and known vulnerabilities. DevOps and IT teams must closely coordinate with their counterparts in security to prioritize remediation especially for external-facing assets and high-risk vulnerabilities. It is very possible to quickly secure Kubernetes. The remedies are available, but it takes work, focus and cross-team collaboration to get fix done and prevent these kinds of attacks.”

Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider, notes, “This attack leveraged a common Kubernetes misconfiguration to gain persistence within the cluster. Combined with weakness in access control and isolation, this is a good way to gain a foothold into a cluster and establish command and control. As more production workloads move to cloud native, the complexity of securing clusters, software development pipelines, and cloud architectures becomes incredibly difficult, as the attack surface significantly expands.”

For detailed findings, please visit https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/