Several malicious samples have been created for the Windows Subsystem for Linux (WSL) to compromise Windows systems, highlighting a sneaky method that allows the attackers to stay rogue from detection by popular anti-malware engines.
Summary
The distinct tradecraft marks the first instance where a threat actor has been observed to be abusing WSL to install successful payloads.
Researchers from Lumen Black Lotus published a report highlighting the way these files function as loaders running a payload that was either embedded within the sample or recover from a remote server which was then injected into a running process using Windows API calls.
How it works
The trace of this attack vector dates back to May 3rd, 2021, with a progression of Linux binaries uploaded every two to three weeks until August 22nd, 2021. The samples were written in Python 3 and converted into an ELF executable with PyInstaller. However, the files were also organized to download shellcode from a remote command-and-control server and employ PowerShell to carry out activities on the infected host.
The secondary shellcode payload is then injected into a running Windows process using Windows API calls for what Lumen (researcher) described as ELF to Windows binary file execution, but not before the sample attempts to end suspected antivirus products and analysis tools running on the machine.
For more information on this vulnerability, kindly follow this URL:
https://thehackernews.com/2021/09/new-malware-targets-windows- subsystem.html
Remediation
Currently, there is no detailed patch available for this kind of malware. However, the researchers from Lumen Black Lotus, recommend the below:
Users who have enabled WSL must ensure proper logging is conducted to detect this type of vulnerability.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New Malware Targets Windows Subsystem for Linux_to Evade Detection.pdf
References
New malware targets the windows subsystem for Linux to evade detection (17th September 2021). Retrieve from Security Affairs.
https://securityaffairs.co/wordpress/122299/malware/win-malware-wsl-to- evade-detection.html
New malware targets windows subsystem for Linux to evade detection (n.d). Retrieve from Jioforme.