A new type of malware designed to compromise Windows containers and Kubernetes clusters has been discovered.
Researchers at Palo Alto Networks’ Unit 42, who discovered the malware in March this year, say the malware, dubbed Siloscape, is unusual as it does not target Linux containers, a widely-used OS for managing cloud applications.
Siloscape is a server-side attack that tries to evade Windows containers by creating a network silo.
According to researchers, Siloscape uses a Tor proxy to connect to its C2 server, which is used by hackers to manage their malware and for data exfiltration.
The new malware’s Cloud-Malware.exe is targeting Windows containers to launch attacks utilizing known vulnerabilities. Siloscape will then attempt to execute remote code on a container’s underlying node. It will also attempt to obtain SeTcbPrivilege privileges by using known Windows container escape techniques:
“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”
If successful, the malware will exploit the system’s resources to secretly mine for cryptocurrency. It will also try to create unauthorized containers to steal data from compromised applications.
The malware’s developers have made sure that their code is heavily obfuscated at runtime in order to hide its contents and make it harder to reverse-engineer. Another notable feature of the malware is its ability to generate its own unique passwords to decrypt the C2 server’s password.
“The hardcoded key makes each binary a little bit different than the rest, which is why I couldn’t find its hash anywhere,” the research states. “It also makes it impossible to detect Siloscape by hash alone.”
Unit 42 was able to gain access to the C2 and identify over 313 victims, most of whom were likely victims of campaigns over the past year.
Microsoft advises that Hyper-V containers should be deployed if containerization is used as a security boundary instead of a standard Windows container.
