Hacking group TeamTNT has been employing new malware referred to as the Hildegard malware to infiltrate Kubernetes systems, according to research from Palo Alto Networks. In the summer of 2020, the APT was targeting both Docker and Kubernetes systems through a different method, a crypto-mining worm that was able to stead local credentials and Amazon Web Services login details. However, in the fall, TeamTNT launched a different campaign leveraging an open-source tool called Weave Scope to execute commands in targeted cloud environments.
Palo Alto already uncovered the group’s next operation, which appears to have just started last month. Targeting Kubernetes environments again, the APT has shifted to using the Hildegard malware. This malware variant is persistent and stealthy, disguising malicious processes using the bioset Linux process, and library injection. Once the Kubernetes cluster was compromised, the hackers sought to spread to additional areas with the final goal being cryptojacking. According to Palo Alto, no new activity has been observed since the initial detection and analysis.
Read More: New ‘Hildegard’ Malware Targets Kubernetes Systems