The hacking group TeamTNT has been employing a new piece of malware, dubbed Hildegard, in a series of attacks targeting Kubernetes systems.
Early this year, researchers from Trend Micro discovered that the TeamTNT botnet was improved with the ability to steal Docker credentials. At the end of January, the group has improved its Linux cryptocurrency miner by implementing open-source detection evasion capabilities.
The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.
Upon infecting Docker and Kubernetes systems running on top of AWS servers, the bot scans for ~/.aws/credentials and ~/.aws/config that are the paths were the AWS CLI stores credentials and configuration details in an unencrypted file.
The malware deploys the XMRig mining tool to mine Monero cryptocurrency.
In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware, Palo Alto Networks warns.
The hackers leveraged misconfigured kubelet to gain access to the Kubernetes cluster, then attempted to spread over as many containers as possible and eventually compromise them cryptojacking miners.
Below the attack chain documented by the reseachers from Palo Alto Networks:
The malware connects to the command and control (C&C) server via a tmate reverse shell and an Internet Relay Chat (IRC) channel. The malicious code names the IRC process “bioset”, which is the name of a well-known Linux kernel process bioset, to avoid detection.
The malicious code also leverages other techniques to avoid detection, for example it modifies the system DNS resolvers and uses Google’s public DNS servers to bypass DNS monitoring tools.
It also hides malicious processes using library injection and encrypts the malicious payload.
“TeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT’s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent.” states the analysis published by Palo Alto Networks. “In particular, we found that TeamTNT’s Hildegard malware:
Researchers believe that the hacker group is going to launch a larger-scale attack in the next months.
The attackers could use the reverse shell to perform additional malicious operations manually, including reconnaissance and data exfiltration.
The Hildegard malware allows attackers to steal various types of information, including credentials, cloud access keys and tokens, SSH keys, Docker credentials, and Kubernetes service tokens.
“Unlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host can run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host.” concludes the report.
“This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C&C.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, TeamTNT)