8 June 2021

Researchers discover new malware targeting Windows containers


Researchers discover new malware targeting Windows containers

Researchers from security firm Palo Alto Networks are warning of a new malware strain, which is targeting Windows containers in order to compromise Kubernetes nodes and open a backdoor to clusters.

Dubbed Siloscape, the malware is the first known malware strain designed to target Windows containers. Siloscape compomises Kubernetes nodes by exploiting known vulnerabilities in web servers and databases.

“Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers,” Unit 42 security researcher Daniel Prizmant wrote.

The malicious attacks were discovered in March 2021 and are believed to have been ongoing for over a year.

To gain initial foothold on the systems, the malware targets common cloud applications such as web servers using known vulnerabilities. It then uses Windows container escape techniques to escape the container and gain code execution on the underlying node. Next, Siloscape uses node's credentials to spread in the cluster and connects to its command and control server using the IRC protocol over the Tor network.

To escape the container, the malware impersonates CExecSvc.exe and then creates a symbolic link to its local containerized X drive to the host's C drive. It then searches for specific Kubernetes files and makes sure it can execute kubectl commands.

“This malware can leverage the computing resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters,” Prizmant explained.

The researcher noted that Siloscape doesn’t actually do anything that will harm the cluster on its own, its main purpose is to stay undetected and provide a backdoor to the cluster, which allows its operators to perform malicious activities like cryptojacking, etc.

“Siloscape shows us the importance of container security, as the malware wouldn’t be able to cause any significant damage if not for the container escape. It is critical that organizations keep a well-configured and secured cloud environment to protect against such threats,” the researcher said.


Back to the list

Latest Posts

New Chinese-speaking cyberespionage group targets high-profile victims in Southeast Asia

New Chinese-speaking cyberespionage group targets high-profile victims in Southeast Asia

Dubbed GhostEmperor, the threat actor has been observed using a never-before-seen Windows kernel-mode rootkit.
2 August 2021
APT29 still actively serving WellMess malware used in cyberespionage campaign targeting COVID-19 vaccine research

APT29 still actively serving WellMess malware used in cyberespionage campaign targeting COVID-19 vaccine research

Researchers discovered more than 30 command-and-control servers under control of APT29 that were delivering WellMess.
2 August 2021
SolarWinds hackers compromised email accounts of employees at 27 US Attorneys' offices

SolarWinds hackers compromised email accounts of employees at 27 US Attorneys' offices

The hackers are believed to have had access to compromised accounts from approximately May 7 to December 27, 2020.
2 August 2021