Malware built to target Kubernetes clusters to mine Monero uncovered

The malware campaign has not been successful since it was first discovered in January, leading researchers to conclude that it “may still be in the reconnaissance and weaponization stage.”

Cybersecurity analysts at Unit 42, the Palo Alto Networks intelligence team, have released a profile of a recent ransomware campaign that attacks Kubernetes clusters and can be used for cryptojacking purposes.

“Cryptojacking” is an industry word for stealth crypto-mining attacks that operate by downloading malware that uses computer processing resources to mine cryptocurrencies—often Monero (XMR)—without the user’s permission or awareness.

The Kubernetes cluster is a collection of nodes that are used to run containerized systems across various devices and environments, whether virtual, physical, or cloud-based. According to the Unit 42 team, the attackers behind the latest malware were initially accessed by a misconfigured Kubelet—the name of the primary node agent operating on each node in the cluster—which enabled anonymous entry. Once the Kubelet cluster was breached, the malware was programmed to spread through as many containers as possible, ultimately initiating a cryptojacking operation.

Unit 42 has assigned the pseudonym “Hildegard” to the latest malware and claims that TeamTNT is the threat agent behind it, a community that has previously conducted a campaign to steal the Amazon Web Services credential and distribute the Monero-mining software to millions of IP addresses using a malware botnet.

Researchers note that the current campaign uses similar techniques and domains to those of past TeamTNT campaigns, but that the new malware has innovative features that make it “more stealthy and persistent.”

“Uses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel; Uses a known Linux process name (bioset) to disguise the malicious process; Uses a library injection technique based on LD_PRELOAD to hide the malicious processes; Encrypts the malicious payload inside a binary to make automated static analysis more difficult.”

As far as chronology is concerned, Unit 42 suggested that the C2 domain “” was registered on Dec. 24, 2020, and the IRC server was subsequently online on Jan. 9. Several malware scripts have been modified regularly, and the campaign has a hash capacity of around 25.05 kilo hash per second. As of Feb. 3, Unit 42 found that 11 XMR (approximately $1,500) had been deposited in the corresponding wallet.

Since the initial identification of the squad, however, the operation has been inactive, causing Unit 42 to venture that “The threat campaign may still be in the reconnaissance and weaponization stage.” However, based on an analysis of the capabilities of the malware and target environments, the team anticipates that a big assault is underway, with potentially more far-reaching consequences:

“The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.”

Due to the assumption that the Kubernetes cluster normally includes more than one host and that each host will operate several containers, Unit 42 points out that the hacked Kubernetes cluster can result in an especially profitable cryptojacking malware operation. In the case of victims, the hijacking of the infrastructure of their system by such a movement will cause severe damage.

Already feature-rich and more advanced than TeamTNT’s previous attempts, the researchers urged clients to use a cloud protection approach that would alert users to a lack of Kubernetes configuration in order to remain safe from emerging threats.


Leave a Reply

Your email address will not be published. Required fields are marked *