Siloscape: this new malware targets Windows containers to access Kubernetes clusters
A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers.
The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments.
According to Palo Alto Networks’ Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo.
In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands.
The malware, labeled as CloudMalware.exe, targets Windows containers — using Server rather than Hyper-V isolation — and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases.
Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges.
“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”
If the malware is able to escape, it will then try to create malicious containers, steal data from applications running in compromised clusters, or will load up cryptocurrency miners to leverage the system’s resources to covertly mine for cryptocurrency and earn its operators profit for as long as the activities go undetected.
The malware’s developers have ensured that heavy obfuscation is in place — to the point where functions and module names are only deobfuscated at runtime — in order to…