Security News > 2021 > September > New malware uses Windows Subsystem for Linux for stealthy attacks
Security researchers have discovered malicious Linux binaries created for the Windows Subsystem for Linux, indicating that hackers are trying out new methods to compromise Windows machines.
The next step is to inject the malware into a running process using Windows API calls, a technique that is neither new nor sophisticated.
From the small number of samples identified, only one came with a publicly routable IP address, hinting that threat actors are testing the use of WSL to install malware on Windows.
"As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don't have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality" - Black Lotus Labs.
One of the variants, written completely in Python 3, does not use any Windows API and seems to be the first attempt at a loader for WSL. It uses standard Python libraries, which makes it compatible with both Windows and Linux.
Black Lotus Labs assesses that the WSL malware loaders are the work of a threat actor testing the method from a VPN or proxy node.
News URL
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- Ivanti zero-day attacks infected devices with custom malware (source)
- FBI wipes Chinese PlugX malware from thousands of Windows PCs in America (source)
- WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites (source)
- IPany VPN breached in supply-chain attack to push custom malware (source)
- MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks (source)
- CISA orders agencies to patch Linux kernel bug exploited in attacks (source)
- New Microsoft script updates Windows media with bootkit malware fixes (source)