Table of Contents
  • Home
  • /
  • Blog
  • /
  • Be Aware of This New Windows Container Malware “Siloscape” Targeting Kubernetes Clusters
June 8, 2021

Be Aware of This New Windows Container Malware “Siloscape” Targeting Kubernetes Clusters

Windows Container Malware Siloscape Targeting Kubernetes Clusters

Security researchers have uncovered the first known Windows container malware, targeting Windows Server containers to infect Kubernetes clusters in cloud environments. The malware was named Siloscape (silo escape) because its primary goal is to escape the container. 

A researcher from Paloalto unit 42 Daniel Prizmant said, Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.

This post will cover some heads up on Windows container vulnerabilities, an overview of Siloscape, and recommendations & best practices to stay away from such Windows container malware.

What Are Containers?

Fig #1: Windows Containers Design

Containers are a technology that allows applications to run in an isolated environment on the host machines. They are built on top of the host machines kernel. Although containers share the host machines kernel, they dont get access to it. This feature of containers provides a lightweight, isolated environment that makes apps easier to develop, deploy, and manage without affecting other apps and services. This lightweight nature leverages better unitizations of system resources.

What Do We Know About This New Windows Container Malware: Siloscape?

Siloscape malware was first identified in March 2021 by Daniel Prizmant. Its main target is cloud applications like web servers. It is designed to gain access by exploiting the known vulnerabilities and opens a backdoor in order to run malicious containers inside the Kubernetes clusters. Its highly obfuscated code leverages Windows container escape techniques to escape the container and gain remote code execution access on the underlying node. This malware can also harvest computing resources in a Kubernetes cluster for cryptojacking and exfiltrate sensitive information from the compromised clusters.

Some common behaviors and characteristics of Siloscape malware:

  • Targeting common cloud applications such as web servers to gain access by exploiting the known vulnerabilities.

  • Uses Windows container escape techniques to break out the container and gain remote code execution on the underlying node.

  • Abuse the nodes credentials to spread in the cluster.

  • It uses the IRC protocol to connect its C2 server over the Tor network.

  • Waits for further instructions from its author.

The Targets of Siloscape Windows Container Malware:

Research reveals that this malware is just a small part of a larger campaign, which has been taking place for over a year. Furthermore, the report also confirmed that this campaign was active at the time of writing this post.

The actual size of the victims is unknown. However, when the researcher examines one of the C2 servers, he found 23 active victims at that time, and the server was being used to host 313 users in total.

Attack Flow of Siloscape Windows Container Malware:

Fig #2: Execution Flow of Siloscape Malware

  1. The attacker exploits known vulnerabilities to achieve remote code execution (RCE) inside a Windows container.

  2. The attacker executes CloudMalware.exe and supplies necessary information which needs to establish communication with the C2 server.

  3. It impersonates ‘CExecSvc.exe’ service to obtain SeTcbPrivilege privileges and creates a global symbolic link to the host (C drive of the hosts).

  4. After that, it searches for the ‘kubectl.exe’ binary and the Kubernetes config file in the symbolic link (C drive of the hosts).

  5. Then it checks if the compromised node has enough privilege to create new Kubernetes deployments. Then it writes the Tor archive (ZIP) and an unzip binary to the hosts C drive from the main Siloscape binary.

  6. it fires up ‘tor.exe’ to a new thread and waits for it to finish by checking the Tor thread output.

  7. After Tor is up and running, It then connects to the C2 server (IRC server, using a .onion domain), which is hosted on the Tor network from where it receives the instructions in the forms of commands for further action.

Indicators of Compromise Captured During the Analysis of Siloscape Malware

Our Siloscape variant5B7A23676EE1953247A0364AC431B193E32C952CF17B205D36F800C270753FCB
unzip.exe, the unzip binary Siloscape writes to the disk81046F943D26501561612A629D8BE95AF254BC161011BA8A62D25C34C16D6D2A, the tor archive Silsocape writes to the disk010859BA20684AEABA986928A28E1AF219BAEBBF51B273FF47CB382987373DB7

Tips for Detecting and Removing This New Windows Container Malware “Siloscape”

Follow these recommendations to get rid of this threat:

  1. Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.

  2. Check Firewall and Internet proxy logs for the given IOCs.

  3. Check if Tor is recently installed on any host on the network.

  4. Check for Tor traffic signature in NIDS and network Firewalls.

  5. Use any of the good Container security scanners for any detection.

  6. Migrate all Windows containers to Hyper-V containers until this issue sees a fix.

  7. For any suspected machines, immediately isolate the host and run these checks.

  8. Run an anti-virus product on the whole disk to check for any malware.

Wrap Up:

Unlike most cloud malware, which mostly focuses on resource hijacking and denial of service (DoS), Siloscape doesnt limit itself to any specific goal. Instead, it opens a backdoor to all kinds of malicious activities.. Microsoft recommends not to use Windows containers as a security feature, instead use the Hyper-V containers for anything that relies on containerization as a security boundary. We suggest migrating all Windows containers to Hyper-V containers to get rid of this new Windows container malware.

Thanks for reading this post. We request to share this post with all who use Windows Containers in their daily lives and make them aware of this threat.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription