Linux binaries have been found attempting to take over Windows systems in what appears to be the first publicly identified malware to use Microsoft’s Windows Subsystem for Linux (WSL) to install unwanted payloads.
On Thursday, Black Lotus Labs, the threat research group at networking company Lumen Technologies, said it had spotted several malicious Python files compiled in Linux binary ELF (Executable and Linkable Format) for Debian Linux.
“These files acted as loaders running a payload that was either built into the sample or fetched from a remote server and then injected into an ongoing process using Windows API calls,” Black Lotus Labs said in a blog post.
In 2017, more than a year after the introduction of WSL, researchers at Check Point came up with a proof-of-concept attack called Bashware that used WSL to run malicious ELF and EXE payloads. Since WSL was not enabled by default, and Windows 10 did not come with any Linux distro preinstalled, Bashware was not considered a particularly realistic threat at the time.
Four years later, WSL-based malware arrived. The files function as loaders for a payload that is either integrated – possibly created using open source tools such as MSFVenom or Meterpreter – or retrieved from a remote command and control server and then inserted. in an ongoing process through Windows API calls.
Although the use of WSL is generally limited to advanced users, these users often have increased privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems
“Threat actors are always looking for new attack surfaces,” said Mike Benjamin, vice president of product security at Lumen and director of Black Lotus Labs, in a statement.
“Although the use of WSL is generally limited to advanced users, these users often have increased privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems. “
If there’s a silver lining to this expected development, it’s that this initial WSL attack isn’t particularly sophisticated, according to Black Lotus Labs. Nonetheless, the samples had a detection rate of one or zero in VirusTotal, indicating that malicious ELFs would have been missed by most antivirus systems.
Black Lotus Labs said the files were written in Python 3 and turned into an ELF executable using PyInstaller. The code invokes various Windows APIs to retrieve a remote file and add it to a running process, thereby establishing access to the infected machine. Presumably, an infidel attacking a Windows system would need to get code execution in the WSL environment in the first place, one way or another.
Two variants of the malware have been identified. One was pure Python, the other was primarily Python but used the Python ctypes library to connect to Windows APIs and run a PowerShell script. Researchers at Black Lotus Labs believe this second variant was still in development because it did not work on its own.
One of the PowerShell samples had a
kill_av() feature that tries to disable suspected antivirus software using Python
os.popen() function in the sub-process module, to manage the sub-processes. It also included a
reverseshell() function that used a sub-process to run a Base64-encoded PowerShell script every 20 seconds within an infinite amount of time
while True: loop to prevent other functions from being performed.
The only routable IP address (185.63.90[.]137) identified in the samples has been linked to targets in Ecuador and France who communicated with the malicious IP address on ports 39000 to 48000 in late June and early July, the researchers said. They theorize that whoever behind the malware was testing a VPN or a proxy node.
Black Lotus Labs advises anyone who has WSL enabled to ensure that logging is enabled to detect these types of incursions. ®