Hildegard

Hildegard is a sophisticated malware strain attributed to the cybercriminal group, TeamTNT. This malicious software primarily exploits unsecured kubelets to infiltrate and move laterally within Kubernetes clusters. The name "Hildegard" derives from the username of the tmate account utilized by the malware. The tactics, techniques, and procedures (TTP) observed in this malware's operation indicate that it represents a new campaign launched by TeamTNT. Hildegard leverages the kubelet’s API to execute commands within containers, thereby establishing a foothold in the system. Upon gaining initial access into a container, Hildegard sets up either a tmate session or an IRC channel back to its command and control center (C2). It then performs reconnaissance operations to understand the environment better. The malware searches for credential files on the host and queries metadata for cloud-specific credentials, indicating a focus on data exfiltration. Moreover, Hildegard deploys an IRC agent built from the open-source project ziggystartux. To evade detection by automated static analysis tools, the ziggystartux ELF is encrypted and packed within another binary named ziggy. TeamTNT's Hildegard malware also employs LD_PRELOAD to hide the malicious processes initiated within the containers. This technique further enhances its stealth capabilities, making it more challenging to detect and neutralize. We discovered that TeamTNT gained initial access using Hildegard by executing commands on kubelets that allow anonymous access, highlighting the importance of securing these interfaces. Overall, Hildegard represents a significant threat to unsecured Kubernetes environments due to its advanced evasion techniques and data exfiltration capabilities.