Hildegard Crypto Malware Hijacks Kubernetes Clusters to Mine Monero
According to researchers on Palo Alto Networks’ Unit 42 team, a new malware strain, dubbed Hildegard, has been discovered targeting Kubernetes clusters for cryptocurrency mining.
Hildegard was first detected in January 2021 and used to launch crypto-jacking operations. Researchers say that the campaign may still be in the reconnaissance and weaponization stage.
On Wednesday, Jay Chen, Aviv Sasson, and Ariel Zelivansky, researchers with Palo Alto Networks, believed that this new malware campaign is still under evolution since it has an incomplete codebase and infrastructure. Currently, most of Hildegard’s infrastructure has been only for less than two months. TeamTNT may eventually launch a large-scale cryptojacking attack via Kubernetes environments or steal data from applications running in Kubernetes clusters.
The new malware attacks Kubernetes clusters through a kubulet glitch, the primary node agent that runs on each Kubernetes node. After gaining access, it infects as many containers as possible to begin a crypto-jacking operation to mine crypto.
Hildegard, Feature-rich Malware
The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.
The researchers noted that this was the first time TeamTNT has been seen targeting Kubernetes environments. It also has multiple ways of establishing C2 connections, hiding its activity “behind” a legitimate and easily-overlooked Linus kernel process. It encrypts its malicious payload inside a binary to make automated static analysis harder.
The team added that the Hildegard malware is one of the most complicated and most feature-rich malware they have seen from TeamTNT. The threat actor mainly has developed more sophisticated tactics for initial access, execution, defense evasion, and C2. These efforts make the malware more stealthy and persistent.
TeamTNT has been suspected of targeting Kubernetes because, unlike a Docker engine, which runs on a single host, a Kubernetes cluster will typically hold more than one host, each of which can run multiple containers. Thus hijacking a Kubernetes cluster for crypto mining works out much more profitable than hijacking a Docker host.
Tal Morgenstern, the co-founder of remediation intelligence provider Vulcan Cyber Ltd, said that threat actors are leveraging a combination of Kubernetes misconfigurations and known vulnerabilities. IT teams must closely coordinate with their security counterparts to prioritize remediation, especially for external-facing assets and high-risk vulnerabilities.
Morgenstern added that Kubernetes could be quickly secured, with focus and cross-team collaboration to get the fix done and prevent these kinds of attacks.