The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments.
According to Palo Alto Networks’ Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo.
In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands.
The malware, labeled as CloudMalware.exe, targets Windows containers – using Server rather than Hyper-V isolation – and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases.
Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges.
“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”
If the malware is able to escape, it will then try to create malicious containers, steal data from applications running in compromised clusters, or will load up cryptocurrency miners to leverage the system’s resources to covertly mine for cryptocurrency and earn its operators profit for as long as the activities go undetected.
The malware’s developers have ensured that heavy obfuscation is in place – to the point where functions and module names are only deobfuscated at runtime – in order to conceal itself and make reverse-engineering more difficult. In addition, the malware uses a pair of keys to decrypt the C2 server’s password – keys that are suspected to be generated for each unique attack.
“The hardcoded key makes each binary a little bit different than the rest, which is why I couldn’t find its hash anywhere,” the research states. “It also makes it impossible to detect Siloscape by hash alone.”
Unit 42 managed to obtain access to the C2 and identified a total of 23 active victims, as well as 313 victims in total, likely secured in campaigns over the past year. However, it was mere minutes before the researchers’ presence was noted and they were kicked out of the server and the service was rendered inactive – at least, at that .onion address.
Microsoft recommends that Hyper-V containers are deployed if containerization is utilized as a form of security boundary rather than relying on standard Windows containers. Unit 42 added that Kubernetes clusters should be configured properly and should not allow node privileges alone to be enough to create new deployments.
Previous and related coverage
Perfect storm: Fraud is skyrocketing coming out of pandemicNecro Python bot revamped with new VMWare, server exploitsFBI, DOJ to treat ransomware attacks with similar priority as terrorism
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0