Hildegard Malware

The hacker group known as TeamTNT has launched a new threatening campaign that aims to breach Kubernetes clusters to deploy a never-before-seen cryptomining malware called the Hildegard Malware. According to infosec experts, the hackers' operation may be in its early stages that are characterized by an increased focus on reconnaissance and ways for further weaponization.

Analyses of the threat revealed that the Hildegard Malware combines already established tools and domains from previous TeamTNT operations with several markedly new threatening capabilities. The threat can establish a connection with the Command-and-Control (C2, C&C) infrastructure in two different ways - through a tmate reverse shell and via an IRC (Internet Relay Chat) channel. To increase its chances to avoid detection, the Hildegard Malware hides its IRC traffic to the C2 servers by posing a legitimate Linux process named bioset. To protect its threatening processes from being discovered, the Hildegard Malware modifies the /etc/ld.so.preload file using a technique based on LD_PRELOAD. This allows the malware to intercept imported functions between shared libraries. Finally, to make automated static detection far more inconsistent, the threat encrypts its threatening payload inside a binary file.

As an initial compromise vector, the Hildegard Malware exploits misconfigured kubelets, an agent running on each Kubernetes node. Kubelets are tasked with watching for pod specs via the Kubernetes API server. When hackers find such a misconfigured kubelet, they initiate a remote code execution attack that results in them gaining access to the system ultimately. Once inside, the hackers waste no time - they deploy and execute the software application tmate to initiate a reverse shell that points to tmate.io. The next step is to spread the Hildegard Malware across the internal network by looking for additional vulnerable kubelets via the masscan Internet port scanner.

On every container managed by a breached kubelet, TeamTNT dropped a Monero cryptomining script - xmr.sh. Researchers discovered that, so far, the hackers had managed to amass the sum of approximately $1500 in Monero coins. The cryptomining payload's actions can completely cripple the infected system by hijacking significant portions of its resources and disrupting every application in the cluster.