Security News > 2021 > September > New malware uses Windows Subsystem for Linux for stealthy attacks
Security researchers have discovered malicious Linux binaries created for the Windows Subsystem for Linux, indicating that hackers are trying out new methods to compromise Windows machines.
The next step is to inject the malware into a running process using Windows API calls, a technique that is neither new nor sophisticated.
From the small number of samples identified, only one came with a publicly routable IP address, hinting that threat actors are testing the use of WSL to install malware on Windows.
"As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don't have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality" - Black Lotus Labs.
One of the variants, written completely in Python 3, does not use any Windows API and seems to be the first attempt at a loader for WSL. It uses standard Python libraries, which makes it compatible with both Windows and Linux.
Black Lotus Labs assesses that the WSL malware loaders are the work of a threat actor testing the method from a VPN or proxy node.
News URL
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks (source)
- New Bifrost malware for Linux mimics VMware domain for evasion (source)
- New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- Stealthy GTPDOOR Linux malware targets mobile operator networks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)