Cybersecurity researchers from Palo Alto Networks' Unit 42 have discovered a new malware campaign targeting the mining of the privacy cryptocurrency Monero.
The new malware campaign called Hildegard It is aimed at attacking clusters of the open source platform Kubernetes, to use the computing power of the equipment in mining Monero (XMR), The cryptocurrency privacy-focused. The cybersecurity firm that discovered the malware, Palo Alto Networks, notes that this new malware may be being used by the TeamTNT threat group, known for exploiting unsecured Docker daemons, deploying malicious container images, and executing attacks to steal Amazon Web Services credentials and more.
El report Research from Palo Alto Networks Unit 42 shows that the attackers managed to gain initial access through a misconfigured kubelet, which allowed anonymous network access, so that the attackers could establish themselves within one of the clusters. By infecting one of these, the Hildegard malware began to spread as much as possible throughout the system and its equipment, and eventually launched attack operations. cryptojacking, with the aim of using the computing power of each of the infected Kubernetes computers to mine cryptocurrencies, such as Monero, in a stealthy and illegal manner.
It may interest you: New potential risk for your bitcoins, Spain among the countries most affected by malware
Features of the new malware
The new malware has been operational for just over a month, Unit 42 researchers estimate, and while it possesses many of the same tools and functionality seen in previous malware campaigns pushed by the threat group, the Hildegard malware also boasts some unique new features that researchers had not seen in previous campaigns.
In particular, cybersecurity researchers note that TeamTNT's Hildegard malware uses two ways to establish command and control (C2) connections: one through a tmate reverse shell, and another through an Internet Relay Chat (IRC) channel, a text-based real-time communication protocol that they used Recently the developers of Bitcoin to discuss enabling Taproot on the network.
The new malware campaign also makes use of a well-known Linux process name (bioset) to disguise and hide the malicious process, making it more stealthy and persistent. Researchers also highlight that the Hildegard malware makes use of a library injection technique based on LD_PRELOAD, which allows it to hide malicious processes from detection. It also encrypts the malicious payload within a binary to hinder automated static analysis, making it resistant to such scans.
On the other hand, in addition to all these characteristics, researchers point out that this is a malware campaign in full development, since its code base and infrastructure are apparently incomplete.
Illegal Monero (XMR) mining
Researchers at the cybersecurity firm discovered that computing resources hijacked from Kubernetes clusters by the malware campaign were being used to maliciously and covertly mine the privacy cryptocurrency Monero (XMR).
To mine the cryptocurrency, the malware was making use of the miner XMRig, one of the most attractive miners for cybercriminals according to ESET, another highly recognized cybersecurity firm in the market. ESET ensures that 73% of malware dedicated to illegal mining, in Latin America and the world, uses XMRig.
Despite the short time this malware campaign has been running, researchers found that cybercriminals already stored nearly 25,05 KH of computing power or hash rate, with which they managed to mine about 11 XMR, valued at the time of this edition at $1.640.
Continue reading: ESET discovers new malware family capable of mining and stealing cryptocurrencies
