Hildegard Malware [cyberflorida]
by CIRT Team
I. Targeted Software
- Docker
- Kubernetes
- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud
II. Introduction
A hacking group referred to as “TeamTNT” has been active within the previous 8 months. In the summer of 2020, security researches identified TeamTNT as the group behind a crypto-mining malware capable of stealing local credentials and Amazon Web Services (AWS) login details.[2] TeamTNT had been targeting Docker and Kubernetes.[2] In September of 2020, TeamTNT was conducting another campaign utilizing an open source tool called Weave Scope to enumerate various targeted cloud environments and execute commands.[2] Palo Alto Networks’ Unit 42 uncovered a new campaign that started in January of 2021 where TeamTNT had been targeting Kubernetes environments using a new malware named Hildegard.[2]
III. Background Information
Although in its budding stage, researchers believe that the threat actors behind Hildegard malware may launch a larger scale of cryptojacking attacks via Kubernetes environment or steal information from various applications running in Kubernetes clusters.[3] In a statement released in January, Palo Alto researchers maintained that the new malware is still under development due to its seemingly incomplete codesbase and infrastructure. In its latest attack, the threat actors gained access by targeting a misconfigured Kubelet with a remote execution attack.[3] Within a Kubernetes cluster, a kubelet maintains a set of pods on a local system and looks for pod specs via a Kubernetes API server.[3] Once inside the cluster, the attackers downloaded tmate. Tmate is an application that is used as a solution for secure terminal sharing over an SSH connection.[3] The attackers ran a command to establish a reverse shell tmate.io. With the help of a port scanner Masscan, the attackers were able to find unsecured kubelets within a Kubernet system and attempted to deploy a malicious cryptomining script (xmr.sh) to containers managed by the kubelets.[3] Researchers estimate that around 1500$ (11XMR) have been collected by the attackers.[3]
TeamTNT have previously targeted unsecured Docker daemons to deploy malicious container images.[3] Unlike Kubernetes cluster, which run on multiple hosts, Docker engines run on single hosts. The attackers did not find it as profitable to hijack a docker host as compared to a Kubernetes cluster.[3] “The most significant impact of the malware is resource hijacking and denial of service (DoS),” said researchers.[3]
Hildegard contains similar tools and domains utilized previously by TeamTNT and some new added features that makes it stealthy and persistent. For example, this malware depends on contrasting ways to establish command and control connections: the tmate reverse shell and an internet relay chat (IRC) channel.[3] Another feature seen with Hildegard malware is its capability of using detection evasion tactics. Researchers say that they have not seen this with previous attacks by TeamTNT. A Linux process named bioset is mimicked by the malware to disguise its IRC communications.[3]
Hildegard hides its malicious processes with the help of a library injection technique based on LD_PRELOAD. Lastly, by encrypting its malicious payload inside a binary, this malware makes it very difficult to automate the static analysis.[3]
IV. MITRE ATT&CK
- T1059 – Command and Scripting Interpreter
TeamTNT gained initial access with the Hildegard malware by executing commands via the kubelet’s command API on kubelets that allowed anonymous access. - T1106 – Native API
TeamTNT used the kubelet’s API to run commands inside containers and create a tmate reverse shell that would be needed for further operations. - T1078.004 – Valid Accounts: Cloud Accounts
TeamTNT used a kubernetes penetration tool called Peirates to gather multiple infrastructure and cloud credentials. - T1027.003 – Obfuscated Files or Information: Steganography
Hildegard named the IRC process “bioset”, which is the name of a well-known Linux kernel process bioset. - T1574.006 – Hijack Execution Flow: LD_PRELOAD
Hildegard used LD_PRELOAD to hide the malicious process launched inside the containers. The malware modified the /etc/ld.so.preload file to intercept shared libraries’ imported functions. - T1552.001 – Unsecured Credentials: Credentials in Files
Hildegard searched for credential files on the host, as well as queries metadata for cloud-specific credentials. The malware search included Cloud access keys & tokens, SSH keys, Docker credentials, and Kubernetes service tokens. - T1070.003 – Indicator Removal on Host: Clear Command History
All the scripts are deleted immediately after being executed. TeamTNT also used the “history -c” command to clear the shell log in every script. - T1580 – Cloud Infrastructure Discovery
Hildegard searched for containers operating in a particular node via kubelet’s API. - T1046 – Network Service Scanning
Hildegard used a network scanning tool called masscan to search for kubelets in Kubernetes’ internal network. - T1082 – System Information Discovery
Hildegard gathered the host’s OS, CPU, memory information, and sent this information back to the C2. - T1496 – Resource Hijacking
The most impact of Hildegard is resource hijacking and denial of service (DoS). The cryptojacking operation can quickly drain the entire system’s resources and disrupt every application in the cluster.
V. Recommendations
- Scheduled Backups & Patch Updates
Back up data regularly and store externally. Perform consistent updates and patch vulnerabilities. - Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. - Incorporate Known IOCs into IDS
Incorporate the known IOCs of the attack into your intrusion detection system (IDS) to catch any suspicious behavior related to the attack. - Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitiage these types of threats. - Closely Monitor Remote Access Infrastructure
Unusual activity in event logs should be investigated immediately. Ensure there is a password reset for all accounts in case of compromise.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
https://usf.box.com/s/90lgg2zi77rfphlfa0frht579tfa33av
VII. References
(1) Chen, J., Sasson, A., & Zelivansky, A. “Hildegard: New TeamTNT Cryptojacking malware TARGETING KUBERNETES.” Paloalto Networks Unit 42, February 5, 2021. https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
(2) “New ‘hildegard’ malware TARGETS Kubernetes Systems.” Security Week, Accessed February 9, 2021. https://www.securityweek.com/new-hildegard-malware-targets-kubernetes-systems
(3) O’Donnell, Lindsey. “New malware Hijacks Kubernetes clusters to Mine Monero.” Threatpost, Accessed February 9, 2021. https://threatpost.com/new-malware-hijacks-kubernetes-clusters-to-mine-monero/163629/
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Sai Saketh Gopaluni, Chris Simpson, Ipsa Bhatt
Recommended Posts
Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh
06 Nov 2024 - Security Advisories & Alerts