Hackers are increasingly interested in the Windows Subsystem for Linux, (WSL), as an attack surface. They build new malware and use the advanced samples to spy on others.

WSL, as the name suggests, allows native Linux binaries to be run on Windows in an environment that simulates the Linux kernel.

Recent WSL-based malware samples were discovered to be based on open-source code. This code routes communication through Telegram and allows the threat actor remote access.

RATs And Shells

Malicious Linux binaries that can be used to steal WSL passwords were first discovered more than a year ago by researchers at Lumen Technologies’ Black Lotus Labs.

Their number has increased steadily since then. Despite being based on publicly accessible code, all variants enjoy low detection rates.

Researchers at Black Lotus Labs stated that they had tracked over 100 WSL-based malware samples since last fall.

Researchers said that some are more advanced than others and that threat actors continue to be interested in the malware they track.

Two of the samples that were analyzed are particularly notable because they can be used as remote access tools (RATs) or to create a reverse shell on infected hosts.

WSL, as the name suggests, allows native Linux binaries to be run on Windows in an environment that simulates the Linux kernel.

Recent WSL-based malware samples were discovered to be based on open-source code. This code routes communication through Telegram and allows the threat actor remote access.

Malicious Linux binaries that can be used to steal WSL passwords were first discovered more than a year ago by researchers at Lumen Technologies’ Black Lotus Labs.

Their number has increased steadily since then. Despite being based on publicly accessible code, all variants enjoy low detection rates.

Researchers at Black Lotus Labs stated that they had tracked over 100 WSL-based malware samples since last fall.

Researchers said that some are more advanced than others and that threat actors continue to be interested in the malware they track.

Two of the samples that were analyzed are particularly notable because they can be used as remote access tools (RATs) or to create a reverse shell on infected hosts.

These two samples were found after Black Lotus Labs’ March report that warned WSL could become a favorite attack surface for adversaries with different technical skill levels.

One of the most recent examples used a Python-based, open-source tool called “RAT-via-TelegramBot“, which allows Telegram control and includes functions to steal authentication cookies from Google Chrome or Opera web browsers, run commands, and download files.

The malware contained a chat ID and a bot token, which indicate an active command-and-control mechanism.

This variant also allows for screenshots to be taken and the grabbing of user and system information (usernames, IP addresses, OS versions). This helps attackers determine which malware or utilities they can use during the next phase.

The researchers noticed that only two of 57 antivirus engines on Virus Total detected the sample as malicious when Black Lotus Labs analyzed it.

To communicate with the attacker, a second WSL-based malware was created.

The researchers looked at the code and noticed that it used an Amazon Web Services IP address that had previously been used by multiple entities.

Researchers noticed one particular thing about this sample: it displayed a pop up message in Turkish. This translated to “you’re screwed, and there’s nothing you can do.”

The pop-up message that could have indicated targets in Turkish, as well as the code, did not provide any clues about the source of the malware.

Researchers said that both malware pieces could be used to spy on others and can also download files that will extend their functionality.

WSL-based malware taking off

Black Lotus Labs has warned that threat actors are expanding the WSL vector. However, many of the samples analyzed by the lab “didn’t yet seem to be fully functional due the use of internal IPs or non-routable IPs.”

Malware authors are still making great progress. They have created versions that can be downloaded and uploaded to both Windows and Linux, and they can execute attacker commands.

Black Lotus Labs found that the most recent WSL-based malware samples “would be effective with an active C2 [command & control] infrastructure, given the low detection rates by AV providers.”

For defending against WSL-based threats, it is important to monitor system activity (e.g. SysMon is used to detect suspicious activity and investigate command.

Related Posts:

• Do You Know About This: GitHub’s Commercial AI Tool Copilot Facing Criticism From Open-Source Community For Blind Copying Of Blocks Of Code

• Do You Know About This: Developer Gets Suspended After Intentionally Damaging GitHub

• Do You Know About This: GitHub Copilot Is ‘Unacceptable And Unjust’ Says Free Software Foundation