Hildegard malware targeting Kubernetes to mine cryptocurrency

Researchers expect a large-scale attack leveraging Kubernetes resources soon

Researchers from Palo Alto Networks' Unit 42 Team have discovered a new strain of malware that targets Kubernetes clusters, as part of a sophisticated campaign from the TeamTNT cyber gang.

The malware, dubbed Hildegard, was first identified in January 2021, while its command and control (C2) domain was registered in December 2020.

According to Unit 42 researchers, Hildegard has new features that make it more persistent and covert compared to older strains of malware, and which attackers can use to access cloud resources.

The malware can encrypt its payload inside a binary, and can conceal its activity behind a genuine Linux kernel process.

It is also capable of establishing connections with the C2 server using either a tmate reverse shell or an IRC channel.

Last month, Unit 42 researchers detected a cyber incident in which the attackers were able to gain initial access through a misconfigured kubelet. After gaining an initial foothold in the Kubernetes cluster, the malware attempted to extend its reach over multiple containers and eventually launched cryptojacking operations. It also started activities to drain system resources and to interrupt the applications executing within the compromised cluster.

"Hildegard uses kubelet's API to execute commands inside containers," the researchers said.

"It looks for identity and access management (IAM) credentials from cloud metadata services and service account tokens from the Kubernetes clusters."

"The malware modifies the system DNS resolvers and uses Google's public DNS servers to avoid being detected by DNS monitoring tools."

Researchers say this is the first time they have seen TeamTNT targeting Kubernetes environments. The cyber group is known for attacking unsecured Docker daemons and deploying malicious container images.

The researchers believe that the group has likely turned their attention to Kubernetes because a hijacked Kubernetes cluster can be more rewarding for attackers. A Docker engine runs on a single host, while a Kubernetes cluster typically holds more than one, each running multiple containers.

The researchers believe this new malware campaign from TeamTNT is still under development, considering its incomplete infrastructure and codebase. However, the Unit 42 researchers also believe that the group will soon come up with advanced tools to start a large-scale deployment of their malware.

"There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponisation stage. However, knowing this malware's capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters," the researchers warn.