TeamTNT’s New Trump Card
Researchers from Palo Alto Networks detected the Hildegard malware of TeamTNT targeting Kubernetes systems at its January reconnaissance and weaponization level.
In order to gain access to the Kubernetes environments for cryptojacking and potentially exfiltrating confidential data from tens of thousands of applications operating in the clusters, the attackers primarily leveraged misconfigured kubelet agents. A tmate reverse shell and an IRC channel are used by the Hildegard malware to create C&C links. It uses a recognized Linux process name to mask the malicious process (bioset). Furthermore, the malware masks harmful procedures using library injection for security evasion and encrypts the malicious payload within a binary to make it more difficult to automate static research.
Recent attacks
The group used a detection evasion method called libprocesshider in the past month, which was copied from open source repositories. TeamTNT hackers used malicious shell files, along with AWS passwords, and deployed cryptocurrency miners to exfiltrate Docker API logins. Palo Alto researchers in another analysis find an Ezuri loader in the newly formed arsenal of the party. In December, a distributed denial of service (DDoS) capable IRC bot named TNTbotinger was deployed by the TeamTNT party.
Wrapping up
With new instruments and malware, TeamTNT has been constantly expanding its capabilities and arsenal. It may be more profitable to attack a cluster of Kubernetes than a hacked Docker host. The threat agent may be expected to conduct a larger-scale assault in the near future with more advanced techniques for initial infiltration, execution, security avoidance, and command and control.