Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft’s Windows Subsystem for Linux (WSL) to install unwelcome payloads.
On Thursday, Black Lotus Labs, the threat research group at networking biz Lumen Technologies, said it had spotted several malicious Python files compiled in the Linux binary format ELF (Executable and Linkable Format) for Debian Linux.
“These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls,” Black Lotus Labs said in a blog post.
In 2017, more than a year after the introduction of WSL, Check Point researchers proposed a proof-of-concept attack called Bashware that used WSL to run malicious ELF and EXE payloads. Because WSL wasn’t enabled by default and Windows 10 didn’t ship with any preinstalled Linux distro, Bashware wasn’t considered a particularly realistic threat at the time.
Four years later, WSL-based malware has arrived. The files function as loaders for a payload that’s either embedded – possibly created using open-source tools like MSFVenom or Meterpreter – or fetched from a remote command-and-control server and is then inserted into a running process via Windows API calls.
While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems
“Threat actors always look for new attack surfaces,” said Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs, in a statement. “While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems.”
If there’s a bright side to this anticipated development, it’s that this initial WSL attack isn’t particularly sophisticated, according to Black Lotus Labs. Nonetheless, the samples had a detection rate of one or zero in VirusTotal, indicating that the malicious ELFs would have been missed by most antivirus systems.
Black Lotus Labs said the files were written in Python 3 and turned into an ELF executable using PyInstaller. The code invokes various Windows APIs to fetch a remote file and add it to a running process, thereby establishing access to the infected machine.
Two variants were identified. One was pure Python, the other was mostly Python but used the Python ctypes library to connect to Windows APIs and run a PowerShell script. The Black Lotus Labs researchers theorize this second variant was still in development because it didn’t run on its own.
One of the PowerShell samples had a
kill_av() function that tries to disable suspected antivirus software using the Python
os.popen() function in the subprocess module, for managing subprocesses. It also included a
reverseshell() function that used a subprocess to run a Base64-encoded PowerShell script every 20 seconds within an infinite
while True: loop to prevent other functions from running.
The one routable IP address (185.63.90[.]137) identified in the samples has been linked to targets in Ecuador and France that communicated with the malicious IP on ports 39000 through 48000 in late June and early July, the researchers said. They theorize that whoever is behind the malware was testing a VPN or proxy node.
Black Lotus Labs advises anyone who has enabled WSL to make sure logging is active to spot these sorts of incursions. ®