Researchers have discovered first known malware targetting windows containers by mimicking CExecSvc.exe for breaking out of containers.

Researchers from paloalto have identified a first known malware named “Siloscape” which is targetting windows server containers(not Hyper-V) whose primary goal is to break out of the container.

The malware “Siloscape” is heavily obfuscated which targets kubernetes cluster through the containers for windows. “ Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers” stated by researcher.

Additionaly, the researcher said that its main purpose is to open a backdoor into a poorly configured kubernetes cluster to run the malicious containers and for other malicious activities.

The diagram shows the overall execution flow of Siloscape, including its communications with its C2 server and its movement through a poorly configured Kubernetes cluster.

Detailed execution of this attack flow taken from the research paper:

  1. The attacker achieves remote code execution (RCE) inside a Windows container using a known vulnerability or a vulnerable web page or database.
  2. The attacker executes Siloscape (CloudMalware.exe) with the necessary C2 connection information provided as command line arguments (and not hardcoded inside the binary).
  3. Siloscape impersonates CExecSvc.exe to obtain SeTcbPrivilege privileges (this technique is described in detail in my previous article).
  4. Siloscape creates a global symbolic link to the host, practically linking its containerized X drive to the host’s C drive.
  5. Siloscape searches for the kubectl.exe binary by name and the Kubernetes config file by regular expression on the host, using the global link.
  6. Siloscape checks if the compromised node has enough privilege to create new Kubernetes deployments.
  7. Siloscape extracts the Tor client to the disk from an archived file using an unzip binary. Both files are packed into the main Siloscape binary.
  8. Siloscape connects to the Tor network.
  9. Using the provided command line argument, Siloscape decrypts the C2 server’s password.
  10. Siloscape connects to the C2 server using an .onion domain (a domain accessible through the Tor network) provided as a command line argument.
  11. Siloscape waits for commands from the C2 and executes them.

The malware uses the tor proxy software and a domain with .onion to connect to its C&C server. The researcher has managed to gain access to the C&C server and identified there are 23 active victims of Siloscape and it was used to host 313 user totally which was taking place for more than a year.

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s