Security News > 2021 > September > New Malware Targets Windows Subsystem for Linux to Evade Detection
A number of malicious samples have been created for the Windows Subsystem for Linux with the goal of compromising Windows machines, highlighting a sneaky method that allows the operators to stay under the radar and thwart detection by popular anti-malware engines.
"These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," researchers from Lumen Black Lotus Labs said in a report published on Thursday.
Windows Subsystem for Linux, launched in August 2016, is a compatibility layer that's designed to run Linux binary executables natively on the Windows platform without the overhead of a traditional virtual machine or dual-boot setup.
The earliest artifacts date back to May 3, 2021, with a series of Linux binaries uploaded every two to three weeks till August 22, 2021.
This secondary "Shellcode" payload is then injected into a running Windows process using Windows API calls for what Lumen described as "ELF to Windows binary file execution," but not before the sample attempts to terminate suspected antivirus products and analysis tools running on the machine.
What's more, the use of standard Python libraries makes some of the variants interoperable on both Windows and Linux.
News URL
Related news
- Researchers discover first UEFI bootkit malware for Linux (source)
- BootKitty UEFI malware exploits LogoFAIL to infect Linux systems (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools (source)
- New stealthy Pumakit Linux rootkit malware spotted in the wild (source)
- Iran-Linked IOCONTROL Malware Targets SCADA and Linux-Based IoT Platforms (source)
- FBI wipes Chinese PlugX malware from thousands of Windows PCs in America (source)