1. Home
  2. Software
  3. Hildegard

Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [1]

ID: S0601
Type: MALWARE
Platforms: Linux, Containers, IaaS
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.2
Created: 07 April 2021
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64().[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Hildegard has disguised itself as a known Linux process.[1]
Enterprise T1543 .002 创建或修改系统进程: Systemd Service

Hildegard has started a monero service.[1]
Enterprise T1136 .001 创建账户: Local Account

Hildegard has created a user named "monerodaemon".[1]
Enterprise T1574 .006 劫持执行流: Dynamic Linker Hijacking

Hildegard has modified /etc/ld.so.preload to intercept shared library import functions.[1]
Enterprise T1140 反混淆/解码文件或信息

Hildegard has decrypted ELF files with AES.[1]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

Hildegard has used shell scripts for execution.[1]
Enterprise T1133 外部远程服务

Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Hildegard has modified DNS resolvers to evade DNS monitoring tools.[1]
Enterprise T1613 容器与资源发现

Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers.[1]

Enterprise T1609 容器管理命令

Hildegard was executed through the kubelet API run command and by executing commands on running containers.[1]
Enterprise T1071 应用层协议

Hildegard has used an IRC channel for C2 communications.[1]
Enterprise T1552 .001 未加密凭证: Credentials In Files

Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.[1]
.004 未加密凭证: Private Keys

Hildegard has searched for private keys in .ssh.[1]
.005 未加密凭证: Cloud Instance Metadata API

Hildegard has queried the Cloud Instance Metadata API for cloud credentials.[1]
Enterprise T1068 权限提升漏洞利用

Hildegard has used the BOtB tool which exploits CVE-2019-5736.[1]

Enterprise T1027 .002 混淆文件或信息: Software Packing

Hildegard has packed ELF files into other binaries.[1]
.013 混淆文件或信息: Encrypted/Encoded File

Hildegard has encrypted an ELF file.[1]
Enterprise T1070 .003 移除指标: Clear Command History

Hildegard has used history -c to clear script shell logs.[1]
.004 移除指标: File Deletion

Hildegard has deleted scripts after execution.[1]

Enterprise T1082 系统信息发现

Hildegard has collected the host's OS, CPU, and memory information.[1]
Enterprise T1102 网络服务

Hildegard has downloaded scripts from GitHub.[1]
Enterprise T1046 网络服务发现

Hildegard has used masscan to look for kubelets in the internal Kubernetes network.[1]
Enterprise T1496 .001 资源劫持: Compute Hijacking

Hildegard has used xmrig to mine cryptocurrency.[1]
Enterprise T1105 输入工具传输

Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.[1]
Enterprise T1219 远程访问软件

Hildegard has established tmate sessions for C2 communications.[1]
Enterprise T1611 逃逸至主机

Hildegard has used the BOtB tool that can break out of containers. [1]

Groups That Use This Software

ID Name References
G0139 TeamTNT

[1]

References

  1. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.