A new Win malware uses Windows Subsystem for Linux (WSL) to evade detection

Security researchers spotted a new malware that uses Windows Subsystem for Linux (WSL) to evade detection in attacks against Windows machines.

Security researchers from Lumen’s Black Lotus Labs have discovered several malicious Linux binaries developed to target the Windows Subsystem for Linux (WSL).

Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10, Windows 11, and Windows Server 2019. The discovery of the malicious Linux binaries suggests that threat actors are devising new methods to target Windows systems and evade the detection.

The files identified by the expert were written primarily in Python 3 and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system. 

“These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls.” reads the analysis published by the researchers. “While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing.”

The Black Lotus Labs detected multiple samples that were uploaded every two to three weeks from as early as May 3, 2021, through August 22, 2021.

The malicious code acted as a loader, retrieved a remote file and then injected it into a running process leveraging Windows API calls . Experts pointed out that the files had a very low detection rate on VirusTotal because most Windows anti-virus solutions don’t have signatures to detect ELF files.

The loader analyzed by the experts used standard Python libraries to make the malicious files multiplatform.

One of the samples was printing the words “Пивет Саня” which translates from Russian to “Hello Sanya”, which suggests that the author has some familiarity with the language and that was making some tests. All of the malicious files analyzed by the experts contained private, or non-routable, IP addresses, except for one that contained the 185.63.90[.]137 IP address.

“The file first attempted to allocate memory from the machines, then created a new process and injected a resource that was stored on a remote server located at hxxp://185.63.90[.]137:1338/stagers/l5l.py. When Black Lotus Labs researchers tried to grab the resource from this remote server, the file was already taken offline, indicating that the threat actor left this address in either from a test or a previous campaign.” continues the analysis. “We did identify a couple of other malicious files that all communicated with the same IP address (185.63.90[.]137) around the same timeframe as the samples containing Meterpreter payloads, some of which were obfuscated with the Shikata Ga Nai encoder.”

The researchers reported that the ELF to Windows binary file execution path was different in various samples, for example, in some samples, the author used PowerShell to inject and execute the shellcode.

In one sample the loader used Python to call functions that killed the running AV products and analysis tools, established a webshell, and run a PowerShell script every 20 seconds.

Black Lotus Labs visibility on the one routable IP address indicates that the author is targeting users in Ecuador and France in late June and early July.

“As the once distinct boundaries between operating systems continue to become more nebulous, threat actors will take advantage of new attack surfaces. We advise defenders who’ve enabled WSL ensure proper logging in order to detect this type of tradecraft.” concludes the report.

“To combat this particular campaign, Black Lotus Labs null-routed the threat actor infrastructure across the Lumen global IP network. Black Lotus Labs continues to follow this activity to detect and disrupt similar compromises, and we encourage other organizations to alert on this and similar campaigns in their environments.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WSL)

[adrotate banner=”5″]

[adrotate banner=”13″]