Linux binaries have been found to have attempted to take over Windows systems in what appears to be the first publicly identified malware to use Microsoft’s Windows Subsystem for Linux (WSL) to install unwanted payloads.
On Thursday, Black Lotus Labs, the threat research group at Networking biz Lumen Technologies, said it had discovered several malicious Python files compiled in the Linux binary format ELF (Executable and Linkable Format) for Debian Linux.
“These files acted as loaders running a payload that was either embedded in the sample or retrieved from a remote server and then injected into a running process using Windows API calls,” Black Lotus Labs said in a blog post.
In 2017, more than a year after WSL was launched, Check Point researchers proposed a proof-of-concept attack called Bashware that used WSL to execute malicious ELF and EXE payloads. Because WSL wasn’t enabled by default and Windows 10 didn’t come with a pre-installed Linux distribution, bashware wasn’t seen as a particularly realistic threat at the time.
Four years later, WSL-based malware has arrived. The files act as a loader for a payload that is either embedded – possibly created using open source tools such as MSFVenom or Meterpreter – or retrieved from a remote command-and-control server and then fed into a running one via Windows API calls Process is inserted.
While the use of WSL is generally limited to power users, these users often have elevated privileges in an organization. This creates blind spots as the industry continues to break down barriers between operating systems
“Threat actors are always looking for new attack surfaces,” said Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs, in a statement. “While the use of WSL is generally limited to power users, those users often have elevated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems.”
If there is a positive side to this anticipated development, then this initial WSL attack is not particularly sophisticated, according to Black Lotus Labs. Nonetheless, the samples had a detection rate of one or zero in VirusTotal, suggesting that the malicious ELFs would have been overlooked by most antivirus systems.
Black Lotus Labs said the files were written in Python 3 and converted to an ELF executable using PyInstaller. The code calls various Windows APIs to get a remote file and add it to a running process, thereby gaining access to the infected computer.
Two variants have been identified. One was pure Python, the other mostly Python, but used the Python ctypes library to connect to Windows APIs and run a PowerShell script. Black Lotus Labs researchers theorize that this second variant was still in development because it didn’t run on its own.
One of the PowerShell samples had a
kill_av() Feature that tries to disable suspicious antivirus software using Python
os.popen() Function in the sub-process module for managing sub-processes. It also included a
reverseshell() Function that uses a sub-process to run a Base64-encoded PowerShell script every 20 seconds for an infinite amount of time
while True: Loop to prevent other functions from being performed.
The one routable IP address (185.63.90[.]137) identified in the samples has been linked to targets in Ecuador and France communicating with the malicious IP on ports 39,000 to 48,000 in late June and early July, the researchers said. They theorize that whoever was behind the malware tested a VPN or proxy node.
Black Lotus Labs advises anyone who has activated WSL to ensure that logging is active in order to detect such intrusions. ®