Security News > 2022 > May > New Windows Subsystem for Linux malware steals browser auth cookies
Hackers are showing an increased interest in the Windows Subsystem for Linux as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules.
WSL-based malware samples discovered recently rely on open-source code that routes communication through the Telegram messaging service and gives the threat actor remote access to the compromised system.
Black Lotus Labs researchers told BleepingComputer this week that they have tracked more than 100 samples of WSL-based malware since last fall.
Black Lotus Labs researchers told BleepingComputer that the malware came with a live bot token and chat ID, indicating an active command and control mechanism.
A second recently discovered WSL-based malware sample was built to set up a reverse TCP shell on the infected machine to communicate with the attacker.
Malware authors are making progress and have already created variants that work on both Windows and Linux and can upload and download files, or execute attacker commands.
News URL
Related news
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Fake browser updates spread updated WarmCookie malware (source)
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)