Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. (Citation: Unit 42 Hildegard Malware)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	1
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	1
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	2
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2