Various malicious samples have been created for the Home windows Subsystem for Linux (WSL) with the objective of compromising Home windows machines, highlighting a sneaky technique that permits the operators to remain underneath the radar and thwart detection by fashionable anti-malware engines.
The “distinct tradecraft” marks the primary occasion the place a risk actor has been discovered abusing WSL to put in subsequent payloads.
“These recordsdata acted as loaders operating a payload that was both embedded inside the pattern or retrieved from a distant server and was then injected right into a operating course of utilizing Home windows API calls,” researchers from Lumen Black Lotus Labsin a report printed on Thursday.
Home windows Subsystem for Linux, launched in August 2016, is athat is designed to run Linux binary executables (in ELF format) natively on the Home windows platform with out the overhead of a conventional digital machine or dual-boot setup.
The earliest artifacts date again to Might 3, 2021, with a collection of Linux binaries uploaded each two to 3 weeks until August 22, 2021. Not solely are the samples written in Python 3 and transformed into an ELF executable with PyInstaller, however the recordsdata are additionally orchestrated to obtain shellcode from a distant command-and-control server and make use of PowerShell to hold out follow-on actions on the contaminated host.
This secondary “shellcode” payload is then injected right into a operating Home windows course of utilizing Home windows API requires what Lumen described as “ELF to Home windows binary file execution,” however not earlier than the pattern makes an attempt to terminate suspected antivirus merchandise and evaluation instruments operating on the machine. What’s extra, the usage of normal Python libraries makes among the variants interoperable on each Home windows and Linux.
“To this point, we’ve got recognized a restricted variety of samples with just one publicly routable IP deal with, indicating that this exercise is sort of restricted in scope or probably nonetheless in growth,” the researchers stated. “Because the as soon as distinct boundaries between working techniques proceed to turn out to be extra nebulous, risk actors will make the most of new assault surfaces.”