Security researchers have discovered a new type of malware that makes use of Windows Subsystem for Linux as a way to stealthily attack systems.
Attacks can be carried out using malicious Linux binaries using a technique that was previously just a theoretical proof-of-concept. The new attack vector was discovered by researchers from Black Lotus Labs who describe it as “the first instance of an actor abusing WSL to install subsequent payloads”.
The technique involves using malicious files to deliver the payload and then injecting malware using Windows API calls.
In a bog post, the researchers explain: “Black Lotus Labs recently identified several malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system”.
These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls. While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing.
The researchers actually discovered two slight variants of the ELF loader approach. While the first involved pure Python, the second makes use of Python to call various Windows APIs using ctypes and invoke a PowerShell script. The theory is that the PowerShell variant is still undergoing research and development.
What is particularly worrying about the use of Windows Subsystem for Linux is that it makes it very easy for these attacks to slip under the radar and go completely unnoticed. The security researchers point out:
As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality.
More details about this type of attack can be found in Black Lotus Labs’ blog post.
Image credit: GlebStock / Shutterstock