Security researchers have discovered a new type of malware that uses the Windows for Linux subsystem as a means to stealthily attack systems.
Attacks can be carried out using malicious Linux binaries using a technique that was previously only a theoretical proof of concept. The new attack vector was discovered by researchers at Black Lotus Labs who describe it as “the first example of an actor abusing WSL to install subsequent payloads.”
The technique involves using malicious files to deliver the payload and then injecting malware using Windows API calls.
In a bog article, the researchers explain: “Black Lotus Labs recently identified several malicious files that were written primarily in Python and compiled in the Linux ELF (Executable and Linkable Format) binary format for the Debian operating system.”
These files acted as loaders running a payload that was either built into the sample or retrieved from a remote server and then injected into an ongoing process using Windows API calls. While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, at the time. of the writing of this article.
The researchers actually discovered two slight variations of the ELF charger approach. While the former involved pure Python, the latter uses Python to call various Windows APIs using ctypes and invoke a PowerShell script. The theory is that the PowerShell variant is still under research and development.
What’s particularly concerning about using the Windows Subsystem for Linux is that it allows these attacks to go under the radar very easily and go completely unnoticed. Security researchers point out:
As suggested by the negligible detection rate on VirusTotal, most endpoint agents designed for Windows systems do not have signatures designed to scan ELF files, although they frequently detect non-WSL agents with functionalities. similar.
More details on this type of attack can be found in the Black Lotus Labs blog post.
Image credit: GlebStock / Shutterstock