Skip to content

S0601 Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. 1

Item Value
ID S0601
Associated Names
Version 1.1
Created 07 April 2021
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol Hildegard has used an IRC channel for C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Hildegard has used shell scripts for execution.1
enterprise T1609 Container Administration Command Hildegard was executed through the kubelet API run command and by executing commands on running containers.1
enterprise T1613 Container and Resource Discovery Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Hildegard has created a user named “monerodaemon”.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service Hildegard has started a monero service.1
enterprise T1140 Deobfuscate/Decode Files or Information Hildegard has decrypted ELF files with AES.1
enterprise T1611 Escape to Host Hildegard has used the BOtB tool that can break out of containers. 1
enterprise T1068 Exploitation for Privilege Escalation Hildegard has used the BOtB tool which exploits CVE-2019-5736.1
enterprise T1133 External Remote Services Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.006 Dynamic Linker Hijacking Hildegard has modified /etc/ to intercept shared library import functions.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Hildegard has modified DNS resolvers to evade DNS monitoring tools.1
enterprise T1070 Indicator Removal -
enterprise T1070.003 Clear Command History Hildegard has used history -c to clear script shell logs.1
enterprise T1070.004 File Deletion Hildegard has deleted scripts after execution.1
enterprise T1105 Ingress Tool Transfer Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Hildegard has disguised itself as a known Linux process.1
enterprise T1046 Network Service Discovery Hildegard has used masscan to look for kubelets in the internal Kubernetes network.1
enterprise T1027 Obfuscated Files or Information Hildegard has encrypted an ELF file.1
enterprise T1027.002 Software Packing Hildegard has packed ELF files into other binaries.1
enterprise T1219 Remote Access Software Hildegard has established tmate sessions for C2 communications.1
enterprise T1496 Resource Hijacking Hildegard has used xmrig to mine cryptocurrency.1
enterprise T1014 Rootkit Hildegard has modified /etc/ to overwrite readdir() and readdir64().1
enterprise T1082 System Information Discovery Hildegard has collected the host’s OS, CPU, and memory information.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.1
enterprise T1552.004 Private Keys Hildegard has searched for private keys in .ssh.1
enterprise T1552.005 Cloud Instance Metadata API Hildegard has queried the Cloud Instance Metadata API for cloud credentials.1
enterprise T1102 Web Service Hildegard has downloaded scripts from GitHub.1

Groups That Use This Software

ID Name References
G0139 TeamTNT 1