20 September 2021

Malware abusing Windows Subsystem for Linux discovered


Malware abusing Windows Subsystem for Linux discovered

Security researchers at Lumen’s Black Lotus Labs discovered several malicious Linux files designed to infect the Windows Subsystem for Linux (WSL) with malicious payloads.

First introduced in 2016, WSL allows developers run a GNU/Linux environment, including most command-line tools, utilities, and applications, directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup.

The researchers said that the discovered samples were written primarily in Python and compiled in the Linux binary format ELF for the Debian OS, a popular Linux distribution. These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls.

The samples were uploaded every two to three weeks from as early as May 3, 2021, through August 22, 2021, with the earliest samples written purely in Python 3. These samples used standard Python libraries that would allow them to run on both Linux and Windows systems. Another sample used PowerShell to interact with specific Windows APIs.

One PowerShell sample contained functions allowing it to kill suspected AV products and analysis tools, Black Lotus said.

“To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads," the Black Lotus Labs security researchers said. "We hope that by illuminating this distinct tradecraft, we can help drive better detection and alerting before its use becomes more rampant.”

Indicators of Compromise and file hashes associated with this campaign are available in the Black Lotus Labs report.


Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021