Researchers detect new malware targeting Kubernetes clusters to mine Monero

Published at: Feb. 4, 2021

Cybersecurity researchers at Unit 42, the intelligence team at Palo Alto Networks, have published a profile of a new malware campaign that targets Kubernetes clusters and can be used for the purposes of cryptojacking.

"Cryptojacking" is an industry term for stealth crypto-mining attacks that work by installing malware that uses a computer’s processing power to mine cryptocurrencies — frequently Monero (XMR) — without the user’s consent or knowledge.

A Kubernetes cluster is a set of nodes that are used to run containerized applications across multiple machines and environments, whether virtual, physical or cloud-based. According to the Unit 42 team, the attackers behind the new malware gained access initially via a misconfigured Kubelet — the name for the primary node agent that runs on each node in the cluster — that allowed for anonymous access. Once the Kubelet cluster was compromised, the malware was aimed at spreading across a maximum number of containers as possible, eventually launching a cryptojacking campaign.

Unit 42 has given the nickname "Hildegard" to the new malware and believe that TeamTNT is the threat actor behind it, a group that has previously run a campaign to steal Amazon Web Services credentials and spread a stealth Monero-mining app to millions of IP addresses using a malware botnet.

The researchers note that the new campaign uses similar tools and domains to those of previous TeamTNT operations but that the new malware has innovative capabilities that render it "more stealthy and persistent." Hildegard, in their technical summary:

"Uses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel; Uses a known Linux process name (bioset) to disguise the malicious process; Uses a library injection technique based on LD_PRELOAD to hide the malicious processes; Encrypts the malicious payload inside a binary to make automated static analysis more difficult."

In terms of chronology, Unit 42 indicated that the C2 domain "borg.wtf" was registered on Dec. 24, 2020, with the IRC server subsequently going online on Jan. 9. Several malicious scripts have frequently been updated, and the campaign has a hash power of around 25.05 kilohashes per second. As of Feb. 3, Unit 42 found that 11 XMR (roughly $1,500) was stored in the associated wallet.

Since the team's initial detection, however, the campaign has been inactive, leading Unit 42 to venture that "The threat campaign may still be in the reconnaissance and weaponization stage." Based on an analysis of the malware's capabilities and target environments, however, the team anticipates that a larger-scale attack is in the pipeline, with potentially more far-reaching consequences:

"The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters."

Due to the fact that a Kubernetes cluster typically contains more than a single host, and that each host can, in turn, run multiple containers, Unit 42 underscores that a hijacked Kubernetes cluster can result in a particularly lucrative malware cryptojacking campaign. For victims, the hijacking of their system's resources by such a campaign can cause significant disruption.

Already feature-rich and more sophisticated than earlier TeamTNT efforts, the researchers advised clients to use a cloud security strategy that will alert users to an insufficient Kubernetes configuration in order to stay protected against the emergent threat.

Tags
Related Posts
Researchers are calling this new malware a triple threat for crypto users
Cybersecurity experts at ESET published an in-depth study about a new malware named “KryptoCibule.” This exploit specifically targets Windows users with three methods of attack, including by installing a crypto mining app, directly stealing crypto wallet files, and replacing copy/pasted wallet addresses as a means to hijack individual transactions. According to the cybersecurity firm, KryptoCibule’s developers rely on the Tor network and BitTorrent protocol to coordinate the attacks. The malware’s original incarnation first appeared in December 2018. At that time, it was merely a Monero mining utility that quietly harvested user’s system resources to generate the currency. By February 2019, …
Technology / Sept. 2, 2020
Many cloud servers are still at high risk of being hijacked for crypto mining
According to a study published by cybersecurity firm, Aqua Security, cloud servers remain a major target for cryptojacking — a type of attack whose main motivation is to mine cryptocurrencies. The “2020 Cloud Native Threat Report” states that between the second half of 2019 and the first half of 2020, attacks of this nature surged by 250%. In total, 95% of the 16,371 attacks registered during this period were related to cryptojacking. The perpetrators of this type of exploit rely heavily on the use of XMRig, a well-known Monero (XMR) mining app, to deploy the attacks. Aqua Security explained: “Although …
Technology / Sept. 14, 2020
Trend Micro: Outlaw Hacking Group’s Botnet Is Now Spreading a Monero Miner
Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13. Per the report, the firm attributes the malware to Outlaw Hacking Group, as the techniques employed are almost the same used in its previous operations. The software in question also holds Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.” Trend Micro also believes that the creators of the malware in question are …
Altcoin / June 13, 2019
Botnet Exploits SQL Servers to Install Crypto Mining App
Recent reports revealed that a group of hackers behind the Kingminer botnet targeted vulnerable Microsoft SQL server databases to mine cryptocurrencies at some point in the second week of June. According to the cybersecurity firm Sophos, the attackers used the botnet, active since 2018, to exploit the BlueKeep and EternalBlue vulnerabilities, by also accessing through a trojan known as Gh0st, which relies on a remote access malware. Once the SQL server database is infected, the botnet installs a well-known crypto miner software called XMRig, which mines Monero (XMR). There are no details as of press time regarding how many systems …
Altcoin / June 10, 2020
Ransomware Gangs Are Teaming Up to Form Cartel-Style Structures
Recent ransomware attacks from well-known cybercriminal groups have been suggesting that gangs are forging cartel-style alliances to pressure their respective victims to pay the ransom requests. Cointelegraph has obtained access to what seems to be a darknet site that belongs to the Maze group. On the site, Maze has been leaking stolen data beginning sometime after Sunday. The central feature to highlight is that the gang notes that Ragnar Locker, another ransomware group, provided the info, as the title of the blog post says: “MAZE CARTEL Provided by Ragnar.” Some of the victims listed are United States-based companies. Speaking with …
Bitcoin / June 9, 2020