malware

Hildegard: new TeamTNT malware targeting the Kubernetes platform

Introduction

Researchers detected new malware activity targeting Kubernetes clusters. Kubernetes is a platform designed to run application containers.

The attacker gains initial access through a misconfigured kubelet that allows anonymous access. Once established in Kubernetes, the malware tried to spread in as many containers as possible, and eventually launched the cryptojacking malware. Based on the tactics, techniques and procedures (TTP) used by the attackers, we believe that this is an attack initiated by the TeamTNT Group. We call this new malware , the username of the tmate account used by the malware.

The Group is known for exploiting insecure Docker daemons and deploying malicious container images. However, this is the first time we have discovered that TeamTNT targets the Kubernetes environment. In addition to the same tools and domains identified in TeamTNT’s previous activities, this new malware also has several new features to make it more covert and persistent. In particular, we found the malware of TeamTNT:

There are two ways to establish a connection: tmate reverse shell program and Internet Relay Chat (IRC) channel.
Use known process names (bioset) to cover up malicious processes.
Use LD_PRELOAD-based library injection technology to hide malicious processes.
Encrypting malicious payloads in binary files makes automatic static analysis more difficult.

The attack process of the attacker and malware is as follows:

clip_image001

Conclusion

Unlike Docker, which runs on a single host, a Kubernetes cluster usually contains multiple hosts, and each host can run multiple containers. Given the large amount of resources in the Kubernetes infrastructure, a hijacked Kubernetes cluster is more profitable than a hijacked Docker host. This new TeamTNT malware campaign is one of the most sophisticated attacks against Kubernetes.

So far, this is also the most feature-rich malware we have seen from the TeamTNT Group. In particular, attackers have developed more complex strategies for initial access, execution, defense evasion, and C2. These efforts make the malware more covert and persistent. Although the malware is still under development and has not yet spread widely, we believe that attackers will soon mature these tools and begin mass deployment.

IOCs

123.245.9[.]147:6667
13.245.9[.]147:6667
147.75.47[.]199
164.68.106[.]96:6667
45.9.148[.]108
45.9.150[.]36
62.234.121[.]105:6667
Borg[.]wtf
irc.borg[.]wtf
sampwn.anondns[.]net
teamtnt[.]red
The.borg[.]wtf

2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f
2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172
b34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204
d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f
74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64
8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c
518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887
5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b
a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9
ee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015
937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d
72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742
12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3
053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e
e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7
77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8
78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983
3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f
fe0f5fef4d78db808b9dc4e63eeda9f8626f8ea21b9d03cbd884e37cde9018ee
74f122fb0059977167c5ed34a7e217d9dfe8e8199020e3fe19532be108a7d607
31381d57d93b0c0738d2e92bce0014b69371f958
59e538c2a3b5a4ccf49b30b88e5571a27931aa4c
4ea685a7fc013cf3476ad13e9dcf6f08d06af85a
661a178188ce87332779fd4e842674dd39425496
841e188fb08de785a7cd43cb9ce3550ba84c21ef
d849ca5d8fea568c2ccc56719d9b1bc145c64c9e
ca46d7e629475ec4dce991221d9c9f3abf4f6ad3
9481e349e3b3942edd2346fa823611e16a375ae4
e94aeaeae1a3df5e3778c37f7a77be43da627c7e
66f858f47aebad049a58d416ca5f7916bf3ec524
a8845c7273fb65aa007ffa067be8615c4273a7d1
1aeb95215a633400d90ad8cbca9bc300
35ac482fafb1453f993cb7c447fb9525
018d88b8203bdea0fe4dc5b4baa930c4
63248ffca814fec285379d27aaccf2e9
e10e607751f00516c86b35a6a3b76517
9f98db93197c6dfb27475075ae14e8ae
92490c9b9d3bb59aca5f106e401dfcaa
80c202ced80965521adf1d63ba6be712
70330c23a9027ba0d2d6dd552818d97b
fe9d149dec9cd182254ace576a332f56
5dd0fec29e1efbe479b50e1652ae736a