Hildegard

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Hildegard is a sophisticated malware strain attributed to the cybercriminal group, TeamTNT. This malicious software primarily exploits unsecured kubelets to infiltrate and move laterally within Kubernetes clusters. The name "Hildegard" derives from the username of the tmate account utilized by the malware. The tactics, techniques, and procedures (TTP) observed in this malware's operation indicate that it represents a new campaign launched by TeamTNT. Hildegard leverages the kubelet’s API to execute commands within containers, thereby establishing a foothold in the system. Upon gaining initial access into a container, Hildegard sets up either a tmate session or an IRC channel back to its command and control center (C2). It then performs reconnaissance operations to understand the environment better. The malware searches for credential files on the host and queries metadata for cloud-specific credentials, indicating a focus on data exfiltration. Moreover, Hildegard deploys an IRC agent built from the open-source project ziggystartux. To evade detection by automated static analysis tools, the ziggystartux ELF is encrypted and packed within another binary named ziggy. TeamTNT's Hildegard malware also employs LD_PRELOAD to hide the malicious processes initiated within the containers. This technique further enhances its stealth capabilities, making it more challenging to detect and neutralize. We discovered that TeamTNT gained initial access using Hildegard by executing commands on kubelets that allow anonymous access, highlighting the importance of securing these interfaces. Overall, Hildegard represents a significant threat to unsecured Kubernetes environments due to its advanced evasion techniques and data exfiltration capabilities.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Hildegard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
CERT-EU
a year ago
挖礦
CERT-EU
a year ago
Cybersecurity threatscape: year 2021 in review