Researchers detect new malware targeting Kubernetes clusters to mine Monero

Cybersecurity researchers at Unit 42, the intelligence team at Paolo Alto Networks, have published a profile of a new malware campaign that targets Kubernetes clusters and can be used for the purposes of cryptojacking.

“Cryptojacking” is an industry term for stealth crypto-mining attacks that work by installing malware that uses a computer’s processing power to mine cryptocurrencies — frequently Monero (XMR) — without the user’s consent or knowledge.

A Kubernetes cluster is a set of nodes that are used to run containerized applications across multiple machines and environments, whether virtual, physical or cloud-based. According to the Unit 42 team, the attackers behind the new malware gained access initially via a misconfigured Kubelet — the name for the primary node agent that runs on each node in the cluster — that allowed for anonymous access. Once the Kubelet cluster was compromised, the malware was aimed at spreading across a maximum number of containers as possible, eventually launching a cryptojacking campaign.

Unit 42 has given the nickname “Hildegard” to the new malware and believe that TeamTNT is the threat actor behind it, a group that has previously run a campaign to steal Amazon Web Services credentials and spread a stealth Monero-mining app to millions of IP addresses using a malware botnet.

The researchers note that the new campaign uses similar tools and domains to those of previous TeamTNT operations but that the new malware has innovative capabilities that render it “more stealthy and persistent.” Hildegard, in their technical summary:

“Uses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel; Uses a known Linux process name (bioset) to disguise the malicious process; Uses a library injection technique based on LD_PRELOAD to hide the malicious processes; Encrypts the malicious payload inside a binary to make automated static analysis more difficult.”

In terms of chronology, Unit 42 indicated that the C2 domain “borg.wtf” was registered on Dec. 24, 2020, with the IRC server subsequently going online on Jan. 9. Several malicious scripts have frequently been updated, and the campaign has a hash power of around 25.05 kilohashes per second. As of Feb. 3, Unit 42 found that 11 XMR (roughly $1,500) was stored in the associated wallet.

Since the team’s initial detection, however, the campaign has been inactive, leading Unit 42 to venture that “The threat campaign may still be in the reconnaissance and weaponization stage.” Based on an analysis of the malware’s capabilities and target environments, however, the team anticipates that a larger-scale attack is in the pipeline, with potentially more far-reaching consequences:

“The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.”

Due to the fact that a Kubernetes cluster typically contains more than a single host, and that each host can, in turn, run multiple containers, Unit 42 underscores that a hijacked Kubernetes cluster can result in a particularly lucrative malware cryptojacking campaign. For victims, the hijacking of their system’s resources by such a campaign can cause significant disruption.

Already feature-rich and more sophisticated than earlier TeamTNT efforts, the researchers advised clients to use a cloud security strategy that will alert users to an insufficient Kubernetes configuration in order to stay protected against the emergent threat.