TeamTNT group uses Hildegard Malware to target Kubernetes Systems

The TeamTNT hacker group has been employing a new piece of malware, dubbed Hildegard, to target Kubernetes installs.

The hacking group TeamTNT has been employing a new piece of malware, dubbed Hildegard, in a series of attacks targeting Kubernetes systems.

Early this year, researchers from Trend Micro discovered that the TeamTNT botnet was improved with the ability to steal Docker credentials. At the end of January, the group has improved its Linux cryptocurrency miner by implementing open-source detection evasion capabilities.

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.

Upon infecting Docker and Kubernetes systems running on top of AWS servers, the bot scans for ~/.aws/credentials and ~/.aws/config that are the paths were the AWS CLI stores credentials and configuration details in an unencrypted file.

The malware deploys the XMRig mining tool to mine Monero cryptocurrency.

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware, Palo Alto Networks warns.

The hackers leveraged misconfigured kubelet to gain access to the Kubernetes cluster, then attempted to spread over as many containers as possible and eventually compromise them cryptojacking miners.

Below the attack chain documented by the reseachers from Palo Alto Networks:

1. The attacker targeted an unsecured Kubelet on the internet and searched for containers running inside the Kubernetes nodes. After finding container 1 in Node A, the attacker attempted to perform remote code execution (RCE) in container 1.
2. The attacker downloaded tmate and issued a command to run it and establish a reverse shell to tmate.io from container 1. The attacker then continued the attack with this tmate session.
3. The attackers launched a masscan from the container 1 to scan Kubernetes’s internal network and found unsecured Kubelets in Node B and Node C. The attacker then attempted to deliver and execute crypto mining script (xmr.sh) to containers managed by these Kubelets (containers 2-7).
4. Containers that ran xmr.sh started an xmrig process and established an IRC channel back to the IRC C2.
5. The attacker could also create another tmate session from one of the containers (container 4). With the reverse shell, the attacker could perform more manual reconnaissance and operations.

The malware connects to the command and control (C&C) server via a tmate reverse shell and an Internet Relay Chat (IRC) channel. The malicious code names the IRC process “bioset”, which is the name of a well-known Linux kernel process bioset, to avoid detection.

The malicious code also leverages other techniques to avoid detection, for example it modifies the system DNS resolvers and uses Google’s public DNS servers to bypass DNS monitoring tools.

It also hides malicious processes using library injection and encrypts the malicious payload.

“TeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT’s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent.” states the analysis published by Palo Alto Networks. “In particular, we found that TeamTNT’s Hildegard malware:

• Uses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.
• Uses a known Linux process name (bioset) to disguise the malicious process.
• Uses a library injection technique based on LD_PRELOAD to hide the malicious processes.
• Encrypts the malicious payload inside a binary to make automated static analysis more difficult.”

Researchers believe that the hacker group is going to launch a larger-scale attack in the next months.

The attackers could use the reverse shell to perform additional malicious operations manually, including reconnaissance and data exfiltration.

The Hildegard malware allows attackers to steal various types of information, including credentials, cloud access keys and tokens, SSH keys, Docker credentials, and Kubernetes service tokens.

“Unlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host can run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host.” concludes the report.

“This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C&C.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TeamTNT)

[adrotate banner=”5″]

[adrotate banner=”13″]