Security experts have found a new malware variant that uses Windows Subsystem for Linux to infect systems covertly. The research highlights that malicious actors explore new attack tactics and focus on WSL to avoid being detected.
Black Lotus Labs, the Lumen Technologies networking threat research organization, reported on Thursday 16th of September claimed that it has detected many malicious Python files in Debian Linux’s binary ELF (Executable and Linkable) format.
The initial samples were found at the beginning of May for the WSL environment and lasted until August 22 every 2 to 3 weeks. These function as WSL loaders and can be detected extremely poorly in public file scanning services. The next step is the injection of malWindows API calls into an ongoing process, a method that is neither new nor advanced.
Of the few discovered instances, only one has been given a publicly routable IP address, indicating that attackers concerned are testing WSL for malware installation on Windows. The malevolent files mostly rely on Python 3 to perform their duties and are bundled with PyInstaller as ELF for Debian.
“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” Black Lotus Labs told.
Just over a month ago, only one VirusTotal antivirus engine recognized a dangerous Linux file. Updating the scan for another sample demonstrated that the motors on the scanning service were not fully detected.
One of the alternatives, written in Python 3 entirely, doesn’t even use Windows APIs and is the first WSL loader effort. It is functional with both Windows and Linux with normal python libraries.
In April 2016, Microsoft released the Windows Subsystem for Linux. When WSL was newly released from beta in September, investigators from Check Point revealed a catastrophe termed Bashware, where WSL could be misused to hide malicious code from security products.
The scientists theorize that the code is still being created, even in the final level, depending on the incoherences detected in the analysis of multiple samples. The limited public IP exposure suggests activities in Ecuador and France at the end of June and the beginning of July, which are restricted to targets.
Further, Black Lotus Labs recommends that everyone who has WSL enabled, make sure that logging is activated to detect these intrusions.