banner
Windows Subsystem for Linux

Plenty of malicious samples have been created for the Home windows Subsystem for Linux (WSL) with the aim of compromising Home windows machines, highlighting a sneaky technique that permits the operators to remain underneath the radar and thwart detection by widespread anti-malware engines.

The “distinct tradecraft” marks the primary occasion the place a risk actor has been discovered abusing WSL to put in subsequent payloads.

“These information acted as loaders working a payload that was both embedded throughout the pattern or retrieved from a distant server and was then injected right into a working course of utilizing Home windows API calls,” researchers from Lumen Black Lotus Labs said in a report printed on Thursday.

Home windows Subsystem for Linux, launched in August 2016, is a compatibility layer that is designed to run Linux binary executables (in ELF format) natively on the Home windows platform with out the overhead of a conventional digital machine or dual-boot setup.

Windows Subsystem for Linux

The earliest artifacts date again to Could 3, 2021, with a sequence of Linux binaries uploaded each two to a few weeks until August 22, 2021. Not solely are the samples written in Python 3 and transformed into an ELF executable with PyInstaller, however the information are additionally orchestrated to obtain shellcode from a distant command-and-control server and make use of PowerShell to hold out follow-on actions on the contaminated host.

This secondary “shellcode” payload is then injected right into a working Home windows course of utilizing Home windows API requires what Lumen described as “ELF to Home windows binary file execution,” however not earlier than the pattern makes an attempt to terminate suspected antivirus merchandise and evaluation instruments working on the machine. What’s extra, the usage of normal Python libraries makes a few of the variants interoperable on each Home windows and Linux.

“Up to now, we have now recognized a restricted variety of samples with just one publicly routable IP handle, indicating that this exercise is sort of restricted in scope or doubtlessly nonetheless in improvement,” the researchers mentioned. “Because the as soon as distinct boundaries between working methods proceed to turn out to be extra nebulous, risk actors will benefit from new assault surfaces.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.