HomeWinBuzzer NewsNew Malware Siloscape Found Targeting Windows Containers

New Malware Siloscape Found Targeting Windows Containers

A new type of malware known as Siloscape is targeting Microsoft Windows containers to steal data and conduct RCE attacks.

-

Security researchers have described a new form of malware that is targeting containers to breach Kubernetes clusters. Known as Siloscape, the malware seeks to compromise containers on the platform.

Kubernetes clusters in Windows container work over Linux to help customers manage cloud services. Unit 42, the zero-day wing of Palo Alto Networks, says Siloscape was spotted by researchers in March.

It was given its name because it focuses on trying to compromise Windows containers and then escape through the server silo. Threat actors access the command-and-control (C2) server through a .onion domain.

On C2, attackers can manage Siloscape, including sending attack commands and extract data. `Threat actors are targeting vulnerabilities in Windows containers to access organization databases and servers.

Attack

If the malware is on a system, it shows as CloudMalware.exe. and attacks on a server through isolation. Once Siloscape has access it will start a remote code execution (RCE) on the node of the container, leveraging escape techniques for Windows containers. For example, it will try to impersonate CExecSvc.exe to get out of a container.

“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 points out. “More specifically, it links its local containerized X drive to the host's C drive.”

Not all attempts to escape are successful, but if the malware does get out of Windows containers, it will attempt to create new containers that will take app data by using malicious clusters. It can also load crypto miners to use system resources.  

The creators of the malware have gone to great lengths to ensure the content is hard to find. It also uses two keys to decrypt the password used for the C2 server. Tracking the keys is nearly impossible because unique keys may be created for every attack.

“The hardcoded key makes each binary a little bit different than the rest, which is why I couldn't find its hash anywhere,” the researchers say. “It also makes it impossible to detect Siloscape by hash alone.”

Tip of the day: Windows 10s Power Throttling can net up to 11% more battery savings per charge with little negative impact. In some scenarios you might consider turning Power Throttling off for single apps that you want run with maximum performance. Our tutorial shows you various methods to manage Power Throttling.

SourceUnit 42
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News