8 June 2021

Researchers discover new malware targeting Windows containers


Researchers discover new malware targeting Windows containers

Researchers from security firm Palo Alto Networks are warning of a new malware strain, which is targeting Windows containers in order to compromise Kubernetes nodes and open a backdoor to clusters.

Dubbed Siloscape, the malware is the first known malware strain designed to target Windows containers. Siloscape compomises Kubernetes nodes by exploiting known vulnerabilities in web servers and databases.

“Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers,” Unit 42 security researcher Daniel Prizmant wrote.

The malicious attacks were discovered in March 2021 and are believed to have been ongoing for over a year.

To gain initial foothold on the systems, the malware targets common cloud applications such as web servers using known vulnerabilities. It then uses Windows container escape techniques to escape the container and gain code execution on the underlying node. Next, Siloscape uses node's credentials to spread in the cluster and connects to its command and control server using the IRC protocol over the Tor network.

To escape the container, the malware impersonates CExecSvc.exe and then creates a symbolic link to its local containerized X drive to the host's C drive. It then searches for specific Kubernetes files and makes sure it can execute kubectl commands.

“This malware can leverage the computing resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters,” Prizmant explained.

The researcher noted that Siloscape doesn’t actually do anything that will harm the cluster on its own, its main purpose is to stay undetected and provide a backdoor to the cluster, which allows its operators to perform malicious activities like cryptojacking, etc.

“Siloscape shows us the importance of container security, as the malware wouldn’t be able to cause any significant damage if not for the container escape. It is critical that organizations keep a well-configured and secured cloud environment to protect against such threats,” the researcher said.


Back to the list

Latest Posts

Google fixes yet another Chrome 0Day exploited in the wild

Google fixes yet another Chrome 0Day exploited in the wild

In addition to CVE-2021-30554, Chrome 91.0.4472.114 resolves three high-risk vulnerabilities that allow a remote attacker to compromise a vulnerable system.
18 June 2021
Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

The threat actor deployed the MarkiRAT malware able to steal data and hijack the infected user’s Chrome browser and their Telegram app.
17 June 2021
DarkSide affiliates shift to software supply chain attacks

DarkSide affiliates shift to software supply chain attacks

UNC2465 compromised a website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app.
17 June 2021