Hildegard

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Hildegard is a sophisticated malware strain attributed to the cybercriminal group, TeamTNT. This malicious software primarily exploits unsecured kubelets to infiltrate and move laterally within Kubernetes clusters. The name "Hildegard" derives from the username of the tmate account utilized by the malware. The tactics, techniques, and procedures (TTP) observed in this malware's operation indicate that it represents a new campaign launched by TeamTNT. Hildegard leverages the kubelet’s API to execute commands within containers, thereby establishing a foothold in the system. Upon gaining initial access into a container, Hildegard sets up either a tmate session or an IRC channel back to its command and control center (C2). It then performs reconnaissance operations to understand the environment better. The malware searches for credential files on the host and queries metadata for cloud-specific credentials, indicating a focus on data exfiltration. Moreover, Hildegard deploys an IRC agent built from the open-source project ziggystartux. To evade detection by automated static analysis tools, the ziggystartux ELF is encrypted and packed within another binary named ziggy. TeamTNT's Hildegard malware also employs LD_PRELOAD to hide the malicious processes initiated within the containers. This technique further enhances its stealth capabilities, making it more challenging to detect and neutralize. We discovered that TeamTNT gained initial access using Hildegard by executing commands on kubelets that allow anonymous access, highlighting the importance of securing these interfaces. Overall, Hildegard represents a significant threat to unsecured Kubernetes environments due to its advanced evasion techniques and data exfiltration capabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ziggy
1
Ziggy is a malicious software (malware) known for its damaging and exploitative capabilities. This malware, along with xmrig, can be downloaded and executed via specific scripts. It is associated with various hosted files including TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig
TeamTNT
1
TeamTNT, a threat actor group known for its malicious activities, has been implicated in a series of sophisticated attacks on Kubernetes, one of the most complex to date. The group is notorious for deploying malware, specifically the Hildegard malware, which was identified during a new campaign. The
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Backdoor
Kubernetes
Malware
Reconnaissance
Botnet
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SiloscapeUnspecified
1
Siloscape is a heavily obfuscated malware that emerged in 2021, specifically designed to exploit poorly configured Kubernetes clusters through Windows containers. It operates by planting backdoors within these clusters, enabling cybercriminals to steal data and user credentials. Siloscape's method i
KaitenUnspecified
1
Kaiten, also known as Tsunami, is a malware variant that operates as a Distributed Denial of Service (DDoS) bot and an IRC bot. It targets vulnerable Internet of Things (IoT) devices and poorly protected Linux SSH servers, often being distributed alongside other DDoS bots like Mirai and Gafgyt. The
ZiggystartuxUnspecified
1
ZiggyStarTux is a malicious software (malware) that has been identified as part of the arsenal of TeamTNT, a cybercriminal group. The malware, an open-source IRC bot based on the Kaiten malware, was first detailed by Lacework earlier this year. It operates as a backdoor, running a secondary payload
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Hildegard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
CERT-EU
a year ago
挖礦
CERT-EU
a year ago
Cybersecurity threatscape: year 2021 in review