Researchers have discovered first known malware targetting windows containers by mimicking CExecSvc.exe for breaking out of containers.Tweet
Researchers from paloalto have identified a first known malware named “Siloscape” which is targetting windows server containers(not Hyper-V) whose primary goal is to break out of the container.
The malware “Siloscape” is heavily obfuscated which targets kubernetes cluster through the containers for windows. “ Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers” stated by researcher.
Additionaly, the researcher said that its main purpose is to open a backdoor into a poorly configured kubernetes cluster to run the malicious containers and for other malicious activities.
Detailed execution of this attack flow taken from the research paper:
- The attacker achieves remote code execution (RCE) inside a Windows container using a known vulnerability or a vulnerable web page or database.
- The attacker executes Siloscape (CloudMalware.exe) with the necessary C2 connection information provided as command line arguments (and not hardcoded inside the binary).
- Siloscape impersonates CExecSvc.exe to obtain SeTcbPrivilege privileges (this technique is described in detail in my previous article).
- Siloscape creates a global symbolic link to the host, practically linking its containerized X drive to the host’s C drive.
- Siloscape searches for the kubectl.exe binary by name and the Kubernetes config file by regular expression on the host, using the global link.
- Siloscape checks if the compromised node has enough privilege to create new Kubernetes deployments.
- Siloscape extracts the Tor client to the disk from an archived file using an unzip binary. Both files are packed into the main Siloscape binary.
- Siloscape connects to the Tor network.
- Using the provided command line argument, Siloscape decrypts the C2 server’s password.
- Siloscape connects to the C2 server using an .onion domain (a domain accessible through the Tor network) provided as a command line argument.
- Siloscape waits for commands from the C2 and executes them.
The malware uses the tor proxy software and a domain with .onion to connect to its C&C server. The researcher has managed to gain access to the C&C server and identified there are 23 active victims of Siloscape and it was used to host 313 user totally which was taking place for more than a year.
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1