S0623 Siloscape
Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.1
| Item | Value |
|---|---|
| ID | S0623 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 June 2021 |
| Last Modified | 18 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | Siloscape impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.1 |
| enterprise | T1071 | Application Layer Protocol | Siloscape connects to an IRC server for C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Siloscape can run cmd through an IRC channel.1 |
| enterprise | T1609 | Container Administration Command | Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager.1 |
| enterprise | T1611 | Escape to Host | Siloscape maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of NtSetInformationSymbolicLink.1 |
| enterprise | T1190 | Exploit Public-Facing Application | Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.1 |
| enterprise | T1083 | File and Directory Discovery | Siloscape searches for the Kubernetes config file and other related files using a regular expression.1 |
| enterprise | T1106 | Native API | Siloscape makes various native API calls.1 |
| enterprise | T1027 | Obfuscated Files or Information | Siloscape itself is obfuscated and uses obfuscated API calls.1 |
| enterprise | T1069 | Permission Groups Discovery | Siloscape checks for Kubernetes node permissions.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | Siloscape uses Tor to communicate with C2.1 |
| enterprise | T1518 | Software Discovery | Siloscape searches for the kubectl binary.1 |