Siloscape

Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.[1]

ID: S0623
Type: MALWARE
Platforms: Windows, Containers
Contributors: Daniel Prizmant, Palo Alto Networks; Yuval Avrahami, Palo Alto Networks
Version: 1.0
Created: 18 June 2021
Last Modified: 18 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Siloscape impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.[1]

Enterprise T1071 Application Layer Protocol

Siloscape connects to an IRC server for C2.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Siloscape can run cmd through an IRC channel.[1]

Enterprise T1609 Container Administration Command

Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager.[1]

Enterprise T1611 Escape to Host

Siloscape maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of NtSetInformationSymbolicLink.[1]

Enterprise T1190 Exploit Public-Facing Application

Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability.[1]

Enterprise T1068 Exploitation for Privilege Escalation

Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.[1]

Enterprise T1083 File and Directory Discovery

Siloscape searches for the Kubernetes config file and other related files using a regular expression.[1]

Enterprise T1106 Native API

Siloscape makes various native API calls.[1]

Enterprise T1027 Obfuscated Files or Information

Siloscape itself is obfuscated and uses obfuscated API calls.[1]

Enterprise T1069 Permission Groups Discovery

Siloscape checks for Kubernetes node permissions.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Siloscape uses Tor to communicate with C2.[1]

Enterprise T1518 Software Discovery

Siloscape searches for the kubectl binary.[1]

References