TeamTNT Back at it Again - Kubernetes Edition

TeamTNT has been taking huge strides to reach the top of the ladder and its latest target is Kubernetes clusters. The gang is using a never-before-seen malware for this purpose.

What’s going on?

Unit 42 researchers discovered a new malware, Hildegard, that is being leveraged to launch cryptojacking attacks on Kubernetes clusters. The campaign has been attributed to TeamTNT because of the TTPs used by the attackers. Although this hacker group is notorious for abusing unsecured Docker daemons and deploying malicious container images, this is its first instance targeting Kubernetes clusters. 

How did it happen?

  • The first step consists of targeting an unsecured kubelet as these agents ensure that containers are running on a pod and are able to receive commands from the API server.
  • Subsequently, an RCE task is executed to download the legitimate software that builds a secure connection over SSH.
  • After scanning the clusters for other unsecured kubelet, the malware implements a cryptomining script and starts mining for Monero. 

What else is TeamTNT up to?

  • Recently, Trend Micro researchers have observed the TeamTNT botnet updated with Docker API and AWS credentials stealing capabilities, along with several other updates. 
  • The group added a new detection evasion tool—libprocesshider—that helps the malware fight shy of defense teams.

The bottom line

Researchers have not observed further activity, signifying that the malware campaign is still in its reconnaissance and weaponization phases. Moreover, the campaign has an incomplete infrastructure and codebase. However, as this is the most feature-rich malware deployed by TeamTNT to date, it has a huge potential of wreaking havoc.

Cyware Publisher

Publisher

Cyware