Researchers warn that the Hildegard malware is part of ‘one of the most complicated attacks targeting Kubernetes.’

Researchers have discovered never-before-seen malware, dubbed Hildegard, that is being used by the TeamTNT threat group to target Kubernetes clusters.

While Hildegard, initially detected in January 2021, is initially being used to launch cryptojacking operations, researchers believe that the campaign may still be in the reconnaissance and weaponization stage. Eventually, they warn, TeamTNT may launch a more large-scale cryptojacking attack via Kubernetes environments or steal data from applications running in Kubernetes clusters.

“We believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure,” said Jay Chen, Aviv Sasson and Ariel Zelivansky, researchers with Palo Alto Networks, on Wednesday. “At the time of writing, most of Hildegard’s infrastructure has been only online for a month.”

The Campaign

Attackers first gained initial access by targeting a misconfigured kubelet with a remote code execution attack that gave them anonymous access.

The kubelet maintains a set of pods on a local system; within a Kubernetes cluster, the kubelet functions as a local agent that watches for pod specs via the Kubernetes API server.

Once getting a foothold into a Kubernetes cluster in this way, the attacker downloaded tmate and issued a command to run it in order to establish a reverse shell to tmate.io. Tmate is a software application that provides provides a secure terminal sharing solution over an SSH connection.

kubernetes clusters

The attack process. Credit: Palo Alto Networks

Then the attacker used the masscan Internet port scanner to scan Kubernetes’s internal network and find other unsecured kubelets. They then attempted to deploy a malicious cryptomining script (xmr.sh) to containers managed by these kubelets. Researchers said that from these cryptojacking operations, attackers have collected 11 XMR (~$1,500) in their wallet.

TeamTNT has previously targeted unsecured Docker daemons in order to deploy malicious container images. Researchers noted that these Docker engines run on a single host. On the other hand, the Kubernetes clusters, which are the set of nodes that run containerized applications, typically contain more than one host – with every host running multiple containers.

This means that attackers can work with a more abundant set of resources in a Kubernetes infrastructure – meaning a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host, they said.

“The most significant impact of the malware is resource hijacking and denial of service (DoS),” said researchers. “The cryptojacking operation can quickly drain the entire system’s resources and disrupt every application in the cluster.”

Malware Capabilities

While the malware utilizes many of the same tools and domains identified in TeamTNT’s previous campaigns, it also harbors multiple new capabilities that make it more stealthy and persistent, said researchers.

For one, the malware relies on two disparate ways to establish command and control (C2) connections: the tmate reverse shell, as well as an Internet Relay Chat (IRC) channel.

“It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose,” said researchers.

Hildegard also uses various detection evasion tactics that researchers have not previously associated with TeamTNT. For example, the malware mimics a known Linux process name (bioset) to disguise its malicious IRC communications.

It also uses a library injection technique based on LD_PRELOAD to hide its malicious processes: “The malware modified the /etc/ld.so.preload file to intercept shared libraries’ imported functions,” explained researchers, “This way, when applications try to identify the running processes (by reading files under /proc) in the containers, tmate, xmrig … will not be found.”

Finally, the malware encrypts its malicious payload inside a binary to make the automated static analysis more difficult.

TeamTNT

The new malware is only the latest change from the TeamTNT cybercrime group, which is known for cloud-based attacks, including targeting Amazon Web Services (AWS) credentials in order to break into the cloud and use it to mine for the Monero cryptocurrency.

Last week, researchers found that the group had added a new detection-evasion tool to its arsenal, helping its cryptomining malware skirt by defense teams. From time to time, TeamTNT has also been seen deploying various updates to its cryptomining malware. In August, TeamTNT’s cryptomining worm was discovered spreading through the AWS cloud and collecting credentials. Then, after a hiatus, the TeamTNT group returned in September to attack Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope.

Researchers noted that while the malware is still under development and the campaign is not yet widespread, they believe the attacker will soon mature its tools and start a large-scale deployment.

“This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes,” said researchers. “This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2. These efforts make the malware more stealthy and persistent.”