As new malware is developed, hackers are becoming more interested in using the Windows Subsystem for Linux (WSL) as an attack surface, with the most complex instances being capable of espionage and downloading other dangerous modules. WSL allows native Linux binaries to run on Windows in an environment that emulates the Linux kernel, as the name implies.
Recently found WSL-based malware packages use open-source code to route communication through the Telegram messaging service and grant the threat actor remote access to the victim system.
RATs and shells
Researchers at Lumen Technologies’ Black Lotus Labs first detected malicious Linux binaries for WSL over a year ago, and published a study on this new sort of vulnerability in September 2021. Despite being built on publicly available code, their number has steadily increased since then, with all versions having low detection rates.
Since late fall, Black Lotus Labs researchers have tracked more than 100 samples of WSL-based malware, according to BleepingComputer. According to the researchers, some malware is more advanced than others, and threat actors “continue to demonstrate interest” in the malware they are following.
Two of the samples examined stand out due to their ability to act as a remote access tool (RAT) or to construct a reverse shell on the infected host. The two samples were discovered after a Black Lotus Labs paper in March cautioned that WSL might become a favourite attack surface for adversaries with varying levels of technical expertise.
One of the most recent demonstrations made use of RAT-via-Telegram Bot, a Python-based open-source tool that allows control over Telegram and includes capabilities for stealing authentication cookies from Google Chrome and Opera web browsers, issuing commands, and downloading data. According to Black Lotus Labs experts, the virus came with a live bot token and chat ID, indicating a functioning command and control mechanism.
Source: Lumen Technologies Black Lotus Labs
Taking screenshots and capturing user and system information (username, IP address, OS version) are also included in this edition, which aids the attacker in determining what malware or tools to employ in the next phase of the intrusion.
According to the researchers, just two antivirus engines out of 57 on Virus Total recognised the sample as dangerous when Black Lotus Labs investigated it. A second WSL-based malware strain was recently identified and was designed to set up a reverse TCP shell on the affected machine in order to interact with the attacker. The researchers found that the code utilised an Amazon Web Services IP address that had previously been used by various businesses.
This sample had a pop-up message in Turkish that said “you’re screwed and there’s not much you can do,” which the researchers translated as “you’re screwed and there’s not much you can do.”
Neither the pop-up message, which could imply Turkish-speaking recipients, nor the code, however, revealed any information about the malware’s author. According to the experts, both malware pieces might be used for espionage and can download files that would enhance their performance.
WSL-based malware taking off
Threat actors are digging deeper into the WSL vector, according to Black Lotus Labs, despite the fact that many of the samples evaluated “did not yet appear to be completely functioning due to the usage of internal or non-routable IPs.” Nonetheless, malware creators are making headway, and have already built variations that can upload and download files, as well as execute attacker commands, on both Windows and Linux.
Unlike prior WSL-based malware, the latest variants examined by Black Lotus Labs “might be viable with an active C2 [command and control] infrastructure in place given the low detection rates of AV providers,” according to the researchers. To fight against WSL-based threats, keep an eye on system activity (e.g. SysMon) to spot suspicious activity and investigate comman