New malware targets Windows containers to access Kubernetes clusters


Level 76
Content Creator
Malware Hunter
Aug 17, 2014
A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers.

The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments.

According to Palo Alto Networks' Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo.

In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands.

The malware, labeled as CloudMalware.exe, targets Windows containers -- using Server rather than Hyper-V isolation -- and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases.

Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges. [...]