####  ###### Menu ## Hildegard: New TeamTNT Malware Targe�ng #  [By Jay Chen, Aviv Sasson and Ariel Zelivansky](https://unit42.paloaltonetworks.com/author/jaychenpaloaltonetworks-com/) February 3, 2021 at 6:00 AM [Category: Unit 42](https://unit42.paloaltonetworks.com/category/unit-42/) [Tags: Cloud, containers, cryptojacking, Docker, Kubernetes, public cloud, TeamTnT](https://unit42.paloaltonetworks.com/tag/cloud/) ## Hildegard: New TeamTNT Malware Targe�ng This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ----- ## Execu�ve Summary In January 2021, Unit 42 researchers detected a new malware campaign targe�ng Kubernetes clusters. [The a�ackers gained ini�al access via a misconfigured kubelet that allowed anonymous access. Once](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=Synopsis,object%20that%20describes%20a%20pod.) ge�ng a foothold into a Kubernetes cluster, the malware a�empted to spread over as many containers as possible and eventually launched cryptojacking opera�ons. Based on the tac�cs, techniques and [procedures (TTP) that the a�ackers used, we believe this is a new campaign from TeamTNT. We refer to](https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials) this new malware as Hildegard, the username of the tmate account that the malware used. TeamTNT is known for exploi�ng unsecured Docker daemons and deploying malicious container [images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the](https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/) first �me we found TeamTNT targe�ng Kubernetes environments. In addi�on to the same tools and domains iden�fied in TeamTNT’s previous campaigns, this new malware carries mul�ple new capabili�es that make it more stealthy and persistent. In par�cular, we found that TeamTNT’s Hildegard malware: [Uses two ways to establish command and control (C2) connec�ons: a tmate reverse shell and an](https://tmate.io/) [Internet Relay Chat (IRC) channel.](https://modern.ircdocs.horse/) Uses a known Linux process name (bioset) to disguise the malicious process. [Uses a library injec�on technique based on LD_PRELOAD to hide the malicious processes.](https://attack.mitre.org/techniques/T1574/006/) Encrypts the malicious payload inside a binary to make automated sta�c analysis more difficult. We believe that this new malware campaign is s�ll under development due to its seemingly incomplete codebase and infrastructure. At the �me of wri�ng, most of Hildegard’s infrastructure has been online for only a month. The C2 domain borg[.]w� was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the wallet. **There has not been any ac�vity since our ini�al detec�on, which indicates the threat campaign may** **s�ll be in the reconnaissance and weaponiza�on stage. However, knowing this malware’s capabili�es** and target environments, we have good reason to believe that the group will soon launch a larger-scale a�ack. The malware can leverage the abundant compu�ng resources in Kubernetes environments for cryptojacking and poten�ally exfiltrate sensi�ve data from tens to thousands of applica�ons running in the clusters. [Palo Alto Networks customers running Prisma Cloud are protected from this threat by the Run�me](https://www.paloaltonetworks.com/prisma/cloud) Protec�on feature, Cryptominer Detec�on feature and the Prisma Cloud Compute Kubernetes Compliance Protec�on, which alerts on an insufficient Kubernetes configura�on and provides secure alterna�ves. This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ----- _Figure 1. A�acker and malware’s movement._ ## Tac�cs, Techniques and Procedures Figure 1 illustrates how the a�acker entered, moved laterally and eventually performed cryptojacking in mul�ple containers. 1. The a�acker started by exploi�ng an unsecured Kubelet on the internet and searched for containers running inside the Kubernetes nodes. A�er finding container 1 in Node A, the a�acker a�empted to perform remote code execu�on (RCE) in container 1. [2. The a�acker downloaded tmate and issued a command to run it and establish a reverse shell to](https://tmate.io/) tmate.io from container 1. The a�acker then con�nued the a�ack with this tmate session. [3. From container 1, the a�acker used masscan to scan Kubernetes’s internal network and found](https://github.com/robertdavidgraham/masscan) unsecured Kubelets in Node B and Node C. The a�acker then a�empted to deploy a malicious crypto mining script (xmr.sh) to containers managed by these Kubelets (containers 2-7).This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** [4 Containers that ran xmr sh started an xmrig process and established an IRC channel back to the IRC](https://www.paloaltonetworks.com/legal-notices/privacy) ----- the reverse shell, the a�acker could perform more manual reconnaissance and opera�ons. The indicators of compromise (IOCs) found in each container are listed below. These files are either shell script or Executable Linkable Format (ELF). The IOC sec�on at the end of the blog contains the hash and details of each file. **Container 1: TDGG was dropped and executed via Kubelet. TDGG then subsequently downloaded** and executed tt.sh, api.key and tmate. The a�acker used the established tmate connec�on to drop and run sGAU.sh, kshell, install_monerod.bash, setup_moneroocean_miner.sh and xmrig (MoneroOcean). **Container 2-7: xmr.sh was dropped and executed via Kubelet.** **Container 4: The a�acker also established a tmate session in this container. The a�acker then** dropped and executed pei.sh, pei64/32, xmr3.assi, aws2.sh, t.sh, ``` tmate,x86_64.so, xmrig and xmrig.so. ``` [Figure 2 maps the malware campaign’s TTP to MITRE ATT&CK tac�cs. The following sec�ons will](https://attack.mitre.org/) detail the techniques used in each stage. _Figure 2. A�acker’s tac�cs, techniques and procedures._ ## Ini�al Access [kubelet is an agent running on each Kubernetes node. It takes RESTful requests from various](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=The%20kubelet%20is%20the%20primary,object%20that%20describes%20a%20pod.) components (mainly kube-apiserver) and performs pod-level opera�ons. Depending on the configura�on, kubelet may or may not accept unauthen�cated requests. Standard Kubernetes [deployments come with anonymous access to kubelet by default. However, most managed Kubernetes](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication) [services such as Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE) and Kubernetes](https://azure.microsoft.com/en-us/services/kubernetes-service/) [opera�ons (Kops) all enforce proper authen�ca�on by default.](https://github.com/kubernetes/kops) This site uses cookies essential to its operation, for analytics, and for We discovered that TeamTNT gained ini�al access with the Hildegard malware by execu�ng commandspersonalized content and ads. By continuing to browse this site, you › **Cookie Settings** k b l t th t ll Thi hi d b i th k b l t’ d ----- ## Execu�on Hildegard uses kubelet’s API to execute commands inside containers. The ini�al commands create a tmate reverse shell that allows the a�acker to carry out the subsequent opera�on. Unlike the techniques that TeamTNT used in the past, this malware campaign did not pull or run any new container image. ## Privilege Escala�on Although Unit 42 researchers have not observed an a�empt to perform privilege escala�on, the [malware dropped two adversarial tools, Peirates and BOtB, which are capable of breaking out of](https://github.com/inguardians/peirates) containers via known vulnerabili�es or accessing cloud resources via exposed cloud creden�als. ##### Container Breakout BOtB can perform a container breakout using a known vulnerability such as CVE-2019-5736. It can also escape from privileged containers that have enabled CAPS and SYSCALLS. ##### Access to Cloud Resources Peirates can gather mul�ple infrastructures and cloud creden�als. It looks for iden�ty and access management (IAM) creden�als from cloud metadata services and service account tokens from the Kubernetes clusters. With the iden�fied creden�als, it then further a�empts to move laterally or gain control of the cluster. While we observed Peirates in use, the container it was executed in had no creden�als. ## Defense Evasion ##### Library Injec�on [Hildegard uses LD_PRELOAD to hide the malicious process launched inside the containers. The](https://attack.mitre.org/techniques/T1574/006/) malware modified the /etc/ld.so.preload file to intercept shared libraries’ imported func�ons. In [par�cular, the malware overwrites two func�ons: readdir() and readdir64(), which are](https://www.mkssoftware.com/docs/man3/readdir.3.asp) responsible for returning the directory entries in the file system. The overwri�en func�ons filter out queries made to directory entries under /proc. The func�ons then drop queries with keywords such as tmate, xmrig and ziggy. This way, when applica�ons try to iden�fy the running processes (by reading files under /proc) in the containers, tmate, xmrig and ziggy will not be found. Linux tools such as This site uses cookies essential to its operation, for analytics, and for [ps, top](https://man7.org/linux/man-pages/man1/ps.1.html) and many other container monitoring tools will be blinded from these malicious processes.personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ----- _Figure 3. Func�on that overwrites readdir64() in X86_64.so._ ##### Encrypted ELF Binary [Hildegard deploys an IRC agent built from the open-source project ziggystartux. To avoid being](https://github.com/isdrupter/ziggystartux) detected by automated sta�c analysis tools, the ziggystartux ELF is encrypted and packed in another binary (ziggy). When the binary is executed, the ziggystartux ELF is decrypted by a hardcoded Advanced Encryp�on Standard (AES) key and executed in memory. This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ----- ##### g The malware names the IRC process “bioset”, which is the name of a well-known Linux kernel process ``` bioset. If one is only looking at the names of the running processes on a host, one can easily overlook ``` this disguised process. **DNS Monitoring Bypass** The malware modifies the system DNS resolvers and uses Google’s public DNS servers to avoid being detected by DNS monitoring tools. _Figure 5. DNS resolver modifica�on._ ##### Delete Files and Clear Shell History All the scripts are deleted immediately a�er being executed. TeamTNT also uses the “history -c” command to clear the shell log in every script. _Figure 6. The script clears the history and deletes itself._ ## Creden�al Access Hildegard searches for creden�al files on the host, as well as queries metadata for cloud-specific creden�als. The iden�fied creden�als are sent back to the C2. The searched creden�als include: Cloud access keys. This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, youCloud access tokens. › **Cookie Settings** ----- Docker creden�als. Kubernetes service tokens. The metadata servers searched: 169.254.169.254 169.254.170.2 ## Discovery _Figure 7. The script looks for creden�als._ Hildegard performs several reconnaissance opera�ons to explore the environment. It gathers and sends back the host’s OS, CPU and memory informa�on. [It uses masscan to search for kubelets in Kubernetes’ internal network.](http://masscan/) It uses kubelet’s API to search for running containers in a par�cular node. This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ----- ## Lateral Movement Hildegard mainly uses the unsecured kubelet to move laterally inside a Kubernetes cluster. During the discovery stage, the malware finds the exploitable kubelets and the containers these kubelets manage. The malware then creates C2 channels (tmate or IRC) and deploys malicious crypto miners in these containers. Although not observed by Unit 42 researchers, the a�acker may also move laterally with the stolen creden�als. ## Command and Control Once gaining the ini�al foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. At the �me of wri�ng, tmate sessions are the only way the a�acker interacts with the compromised containers. Unit 42 researchers have not observed any commands in the IRC channel. However, the IRC server’s metadata indicates that the server was deployed on Jan. 9, 2021, and there are around 220 clients currently connected to the server. _Figure 9. Tmate named session created by the malware._ _Figure 10. The IRC servers are hardcoded in the ziggy binary._ This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ----- _Figure 11.The IRC traffic captured at the IRC client._ ## Impact The most significant impact of the malware is resource hijacking and denial of service (DoS). The cryptojacking opera�on can quickly drain the en�re system’s resources and disrupt every applica�on in [the cluster. The xmrig mining process joins the supportxmr mining pool using the wallet address](https://supportxmr.com/) ``` 428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9 rG4Y8gXQ8fJiP5tqeBda. At the �me of wri�ng, the malware campaign has ~25.05 KH/s hashing ``` power and there is 11 XMR (~$1,500) in the wallet. _Figure 12. Mining ac�vity on supportxmr._ This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ## Conclusion ----- one host and every host can run mul�ple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host. This new TeamTNT malware campaign is one of the most complicated a�acks targe�ng Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In par�cular, the threat actor has developed more sophis�cated tac�cs for ini�al access, execu�on, defense evasion and C2. These efforts make the malware more stealthy and persistent. Although the malware is s�ll under development and the campaign is not yet widely spread, we believe the a�acker will soon mature the tools and start a large-scale deployment. [Palo Alto Networks customers running Prisma Cloud are protected from this threat by the Run�me](https://www.paloaltonetworks.com/prisma/cloud) Protec�on features, Cryptominer Detec�on and by the Prisma Cloud Compute Kubernetes Compliance Protec�on, which alerts on an insufficient Kubernetes configura�on and provides secure alterna�ves. _Figure 13. Prisma Cloud Compute Kubernetes compliance protec�ons._ _Figure 14. Prisma Cloud Compute aler�ng on crypto mining incident._ ## Indicators of Compromise ##### Domains/IPs: This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ###### The borg[ ]w� This machine hosts malicious fles used in the campaign and receives thei |Domain/IP This site uses co|Descripƭon okies essential to its operation, for analytics, and for| |---|---| ----- |(45.9.150[.]36 )|Hosted files: TDGG, api.key, tmate, �.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, xmr3.assi| |---|---| |147.75.47[.]1 99|The malware connects to this IP to obtain the vicƭm host’s public IP.| |teamtnt[.]red (45.9.148[.]10 8)|This host hosts malicious scripts and binaries. Hosted files: pei.sh, pei64.| |Borg[.]ww (45.9.148[.]10 8)|This host hosts malicious scripts and binaries. Hosted files: aws2.sh| |irc.borg[.]ww (123.245.9[.]1 47)|This host is one of the C2s. It runs an IRC server on port 6667.| |sampwn.anon dns[.]net (13.245.9[.]14 7)|This host is one of the C2s. It runs an IRC server on port 6667.| |164.68.106[.] 96|This host is one of the C2s. It runs an IRC server on port 6667.| |62.234.121[.] 105|This host is one of the C2s. It runs an IRC server on port 6667.| ##### Files: This site uses cookies essential to its operation, for analytics, and for ###### b34df4b273b3bedaab531be4personalized content and ads. By continuing to browse this site, youapi.key text The API key is us›ed for crea�ng Cookie Settingsa |SHA256|File Name|Typ e|Descripƭon| |---|---|---|---| |2c1528253656ac09c747391 1b24b243f083e60b98a19ba1 bbb050979a1f38a0f|TDGG|scrip t|This script downloads and executes z.sh.| |2cde98579162ab165623241 719b2ab33ac40f0b5d0a8ba7 e7067c7aebc530172 This site uses cookies essential to its|z.sh operation, for anal|scrip t ytics, and|This script downloads and runs tmate. It collects system informaƭon from the vicƭm’s host and sends the collected data to C2(45.9.150[.]36) for| ----- This site uses cookies essential to its operation, for analytics, and for ###### 72cfpersonalized content and ads. By continuing to browse this site, you62d801c5bcb185aa299ef pei32 ELF Same as pei64, b›ut for i686Cookie Settings |158a47f7add8c7204|Col2|Col3|compromised containers.| |---|---|---|---| |d2fff992e40ce18ff81b9a92fa 1cb93a56:5a82c1cc428204 552d8dfa1bc04f|tmate|ELF|tmate v2.4.0| |74e3ccaea4df277e1a9c458a6 71db74aa47630928a7825f75 994756512b09d64|sGAU.sh|scrip t|This script downloads and installs masscan. It scans Kubernetes’ internal IP Kubelets running on port 10250. If masscan finds an exploitable Kubelet, it azempts to download and execute a cryptojacking script in all the containers.| |8e33496ea00218c07145396 c6bcf3e25f4e38a1061f807d2 d3653497a291348c|kshell|scrip t|The script performs remote code execuƭon in containers via Kubelet’s API. It also downloads and executes xmr.sh in a target container.| |518a19aa2c3c9f895efa0d130 e6355af5b5d7edf28e2a2d9b 944aa358c23d887|install_moner od.bash|scrip t|The script is hosted in this Github repo. It pulls and builds the official monero project. It then creates a user named “monerodaemon” and starts the monero service.| |5923f20010cb7c1d59aab36b a41c84cd20c25c6e64aace65 dc8243ea827b537b|setup_moner oocean_mine r.sh|scrip t|The script is hosted in this Github repo. It pulls and runs the MoneroOcean advanced version of xmrig.| |a22c2a6c2fdc5f5b962d2534a aae10d4de0379c9872f07aa1 0c77210ca652fa9|xmrig (oneroocean)|ELF|xmrig 6.7.2-mo3. This binary is hosted in MoneroOcean/xmrig Github repo.| |ee6dbbf85a3bb301a2e448c7f ddaa4c1c6f234a8c75597ee7 66c66f52540d015|pei.sh|scrip t|This script downloads and executes pei64 or pei32, depending on the host’s architecture.| |937842811b9e2eb87c4c193 54a1a790315f2669eea58b63 264f751de4da5438d|pei64|ELF|This is a Kubernetes penetraƭon tool from the peirates project. The tool is capable of escalaƭng privilege and pivoƭng through the Kubernetes cluster.| ----- |9f9dde6eb82742|Col2|Col3|Col4| |---|---|---|---| |12c5c5d556394aa107a43314 4c185a686aba3bb44389b724 1d84bea766e2aea3|xmr3.assi|scrip t|The script downloads and runs aws2.sh, t.sh and xmrig.| |053318adb15cf23075f737da a153b81ab8bd0f2958fa81cd 85336ecdf3d7de4e|aws2.sh|scrip t|The script searches for cloud credenƭals and sends the idenƭfied credenƭals to C2 (the.borg[.]ww).| |e6422d97d381f255cd9e9f91 f06e5e4921f070b23e4e35ed d539a589b1d6aea7|t.sh|scrip t|The script downloads x86_64.so and tmate from C2. It modifies ld.so.preload and starts a tmate named session. It then sends back the vicƭm’s system info and tmate session to C2.| |77456c099facd775238086e8 f9420308be432d461e55e49e 1b24d96a8ea585e8|x86_64.so|ELF|This shared object replaces the exisƭng /etc/ld.so.preload file. It uses the LD_PRELOAD trick to hide the tmate process.| |78f92857e18107872526feb1 ae834edb9b7189df4a2129a4 125a3dd8917f9983|xmrig|ELF|xmrig v6.7.0| |3de32f315fd01b7b741c:b7 dfee22c30bf7b9a5a01d7ab66 90fcb42759a3e9f|xmrig.so|ELF|This shared object replaces the exisƭng /etc/ld.so.preload. It uses the LD_PRELOAD trick to hide the xmrig process.| |fe0f5fef4d78db808b9dc4e63 eeda9f8626f8ea21b9d03cbd 884e37cde9018ee|xmr.sh|scrip t|The script downloads and executes xmrig and ziggy.| |74f122:0059977167c5ed34 a7e217d9dfe8e8199020e3fe 19532be108a7d607|ziggy|ELF|ziggy is a binary that packs an encrypted ELF. The binary decrypts the ELF at runƭme and runs it in the memory. The encrypted ELF is built from ZiggyStarTux, an IRC client for embedded devices.| This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** ----- ##### Get updates from Palo Alto Networks! Sign up to receive the latest news, cyber threat intelligence and research from us Email address ###### Subscribe I'm not a robot reCAPTCHA [Privacy](https://www.google.com/intl/en/policies/privacy/) - [Terms](https://www.google.com/intl/en/policies/terms/) [By submi�ng this form, you agree to our Terms of Use and acknowledge our Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/terms-of-use) I'm not a robot reCAPTCHA [Privacy](https://www.google.com/intl/en/policies/privacy/) - [Terms](https://www.google.com/intl/en/policies/terms/) ###  Popular Resources Resource Center Blog Communi�es Tech Docs Unit 42 Sitemap Legal Notices Privacy Terms of Use Documents This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** Account ----- Report a Vulnerability © 2021 Palo Alto Networks, Inc. All rights reserved. This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By continuing to browse this site, you › **Cookie Settings** -----