Siloscape is an unusual malware that aims to reach Kubernetes clusters. Usually, this type of threat focuses on Linux systems as that is the most widely used OS (operating system) when it comes to the management of cloud apps and environments. Siloscape, however, is the first observed malware threat that is specifically created to compromise Windows containers. The threat actor will then try to establish a backdoor in Kubernetes clusters that have not been configured appropriately with the goal to run malicious containers.
Siloscape Malware Functionality
Siloscape is spread in the form of a file named 'CloudMalware.exe.' The threat exploits known vulnerabilities to gain unauthorized access to servers, web pages, and databases. According to the infosec researchers at Palo Alto Networks' Unit 42 who analyzed the malware, Siloscape leans toward using Server rather than Hyper-V isolation. Once established onto the compromised system, the threat will initiate various Windows container escape techniques in order to establish remote code execution (RCE) on the underlying node of a container. One such method sees Siloscape assume the identity of the SExecSvc.exe container image service which allows the malware to receive SeTcbPrivilege privileges.
Ultimately, if Siloscape is successful, it will be able to create malicious containers, harvest data from applications active on the breaches cluster, or deploy a cryptominer that will hijack the hardware resources of the system to covertly generate coins of a chosen cryptocurrency.
Increased Focus on Stealth
Siloscape is heavily obfuscated in order to avoid detection by security countermeasures and hamper reverse-engineering attempts. The threat's functions and module names are only deobfuscated at runtime while the password for the Command-and-Control (C2, C&C) server is decrypted with a pair of hardcoded keys. In fact, each Siloscape instance uses a different pair of keys which makes it just that different from the other threat binaries.
The reach its C2 server, SIloscape relies on the Tor proxy and an '.onion' domain. Unit 42 researchers were able to access the server of the operation and managed to identify 23 active victims with 313 victims in total. The hackers noticed the outside presence within minutes and quickly rendered the service at that .onion address inactive.