Yes, of course there's now malware for Windows Subsystem for Linux

Once dismissed proof-of-concept attack on Microsoft OS through WSL detected in the wild


Updated Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft's Windows Subsystem for Linux (WSL) to install unwelcome payloads.

On Thursday, Black Lotus Labs, the threat research group at networking biz Lumen Technologies, said it had spotted several malicious Python files compiled in the Linux binary format ELF (Executable and Linkable Format) for Debian Linux.

"These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," Black Lotus Labs said in a blog post.

In 2017, more than a year after the introduction of WSL, Check Point researchers proposed a proof-of-concept attack called Bashware that used WSL to run malicious ELF and EXE payloads. Because WSL wasn't enabled by default and Windows 10 didn't ship with any preinstalled Linux distro, Bashware wasn't considered a particularly realistic threat at the time.

Four years later, WSL-based malware has arrived. The files function as loaders for a payload that's either embedded – possibly created using open-source tools like MSFVenom or Meterpreter – or fetched from a remote command-and-control server and is then inserted into a running process via Windows API calls.

While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems

"Threat actors always look for new attack surfaces," said Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs, in a statement.

"While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems."

If there's a bright side to this anticipated development, it's that this initial WSL attack isn't particularly sophisticated, according to Black Lotus Labs. Nonetheless, the samples had a detection rate of one or zero in VirusTotal, indicating that the malicious ELFs would have been missed by most antivirus systems.

Black Lotus Labs said the files were written in Python 3 and turned into an ELF executable using PyInstaller. The code invokes various Windows APIs to fetch a remote file and add it to a running process, thereby establishing access to the infected machine. Presumably a miscreant attacking a Windows system would need to get code execution within the WSL environment in the first place, somehow.

Two variants of the malware were identified. One was pure Python, the other was mostly Python but used the Python ctypes library to connect to Windows APIs and run a PowerShell script. The Black Lotus Labs researchers theorize this second variant was still in development because it didn't run on its own.

One of the PowerShell samples had a kill_av() function that tries to disable suspected antivirus software using the Python os.popen() function in the subprocess module, for managing subprocesses. It also included a reverseshell() function that used a subprocess to run a Base64-encoded PowerShell script every 20 seconds within an infinite while True: loop to prevent other functions from running.

The one routable IP address (185.63.90[.]137) identified in the samples has been linked to targets in Ecuador and France that communicated with the malicious IP on ports 39000 through 48000 in late June and early July, the researchers said. They theorize that whoever is behind the malware was testing a VPN or proxy node.

Black Lotus Labs advises anyone who has enabled WSL to make sure logging is active to spot these sorts of incursions. ®

Updated to add

We asked Black Lotus Labs how exactly the malware got onto people's systems, and a spokesperson would only tell us:

Our observations led us to the malware, so our team reverse-engineered the sample and issued the blog to provide details about our analysis. We share our findings with the public to encourage further analysis, and we will issue a follow-up statement if we obtain any new information.


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022