The malware was discovered by Palo Alto Unit 42’s security researcher Daniel Prizmant:
In March 2021, I uncovered the first known malware targeting Windows containers, a development that is not surprising given the massive surge in cloud adoption over the past few years. I named the malware Siloscape (sounds like silo escape) because its primary goal is to escape the container, and in Windows this is implemented mainly by a server silo, he said in his publication.
A Look into the Siloscape Malware
As to what the purpose of Siloscape is, the malware aims to open a backdoor into poorly configured Kubernetes clusters and run malicious containers such as cryptojackers. Furthermore, the malware is “heavily obfuscated,” and since it targets entire clusters instead of individual containers, its impact can be quite disastrous.
“Unlike other malware targeting containers, which are mostly cryptojacking-focused, Siloscape doesn’t actually do anything that will harm the cluster on its own. Instead, it focuses on being undetected and untraceable and opens a backdoor to the cluster,” Prizmant said.
“Compromising an entire cluster is much more severe than compromising an individual container, as a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application,” Prizmant explained in his report. The Siloscape malware could enable an attacker to steal critical information from an organization, such as usernames and passwords, confidential, internal files, or even entire databases hosted in the compromised cluster.
Attack scenarios also include ransomware, where an organization’s files can be held hostage, or breaching of development or testing environments in software supply chain attacks. The latter attack is quite probable, as an increasing number of enterprises are moving to the cloud, using Kubernetes clusters as their testing environments.
In terms of technical details, the Siloscape malware uses the Tor proxy and an .onion domain to connect to its C2 server anonymously. Unit 42 identified 23 active Siloscape victims. Also, its server was being used to host 313 users in total , indicating that the malware was a small part of a larger operation. The researcher was also able to establish that the this particular campaign had been active for over a year.
How to mitigate against Siloscape malware
First of all, administrators should ensure that their Kubernetes cluster is securely configured. It is noteworthy that a secured Kubernetes cluster won’t be as vulnerable to the Siloscape malware, as the nodes’ privileges won’t suffice to create new deployments, Prizmant concluded.
Cryptojacking Malware Targeting Kubernetes and Docker
Last year, TeamTNT cryptomining operators were targeting AWS (Amazon Web Services) credentials and Kubernetes installations. The malware could scan the infected servers for AWS credentials. In case the compromised Docker and Kubernetes systems were running on AWS, the malware group would scan for ~/.aws/credentials and ~/.aws/config. Then, it would copy and upload the files on its command-and-control server.