Hildegard Cryptojacking Campaign

A cryptojacking campaign attributed to the TeamTNT threat group, delivered remotely via misconfigured Kubelet agents that permit anonymous access.

Threat ID:: CC-3754
Category:: Miner
Threat Severity:: Low
Threat Vector:: Exploit
Published:: 12 February 2021 1:26 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A cryptojacking campaign attributed to the TeamTNT threat group, delivered remotely via misconfigured Kubelet agents that permit anonymous access.

Affected platforms

The following platforms are known to be affected:

Kubernetes Versions: all supported

Threat details

Introduction

Hildegard is a cryptojacking campaign attributed to the TeamTNT threat group.

Delivery

Hildegard is delivered remotely via misconfigured Kubelet agents that permit anonymous access.

Activities

When initial access has been achieved, Hildegard attempts to spread over as many containers as possible and launch mining operations for the Monero cryptocurrency. A tmate reverse shell and an Internet Relay Chat (IRC) channel can be used for command and control (C2) communications. Additional tools are dropped which may be used to gather credentials and achieve further lateral movement.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains:

teamtnt[.]red
borg[.]wtf
sampwn.anondns[.]net

IP addresses:

13.245.9[.]147
45.9.148[.]108
45.9.150[.]36
62.234.121[.]105
123.245.9[.]147
147.75.47[.]199
164.68.106[.]96

Host indicators

File hashes (SHA-256):

2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f
2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172
b34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204
d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f
74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64
8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c
518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887
5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b
a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9
ee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015
937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d
72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742
12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3
053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e
e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7
77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8
78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983
3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f
fe0f5fef4d78db808b9dc4e63eeda9f8626f8ea21b9d03cbd884e37cde9018ee
74f122fb0059977167c5ed34a7e217d9dfe8e8199020e3fe19532be108a7d607

IRC C2 process name:

bioset - please note this is also the name of a legitimate Linux process

Last edited: 12 February 2021 2:45 pm