Unit 42 from Palo Alto Networks finds the first Windows Container malware

Get a free Techzine subscription!

Palo Alto Networks revealed that it discovered the first known malware targeting Windows containers.

It has been named Siloscape and uses sophisticated code obfuscation techniques to create backdoors into a Kubernetes cluster running Windows containers that can be exploited later.

Matt Chiodi, the Chief Security Officer at Palo Alto Networks says that the malware has been targeting Windows Container environments for more than a year now and communicates to its command and control (C2) server via a Tor network.

More criminals on the way

Researchers from Unit 42 have not been able to determine where Siloscape comes from but Microsoft has been alerted. Chiodi says that even though containers in Windows environments are in the early days, he adds that hundreds of millions of Windows containers have been downloaded from the DockerHub repository in the last year.

The level of activity can only go up and subsequently, it won’t take long before the criminals are all over the Windows platforms.

Chiodi remarked on how sophisticated the malware is. Most types target Linux containers, to allow criminals to use them for mining digital currency through a process known as crypto-jacking but Siloscape is different.

Siloscape

The malware is a Trojan horse that somehow can create a backdoor for any type of attack, including ransomware attacks, DDoS attacks, and data exfiltration. Siloscape may reside on a cluster for months before activation, which only makes the need for cybersecurity all the more urgent.

Security teams need to make more effort to discover the malware before it wakes.

Complacency among organizations in terms of container security is common since they are only up for a short time in many cases. However, criminals have shown time and again that they can take advantage of the smallest opportunities. For that reason, it is important to be proactive in terms of security.