IT administrators are being warned of a new threat that abuses the Windows operating system’s ability to run Linux binaries to upload malware.
The warning comes from researchers at Lumen, who say at least one threat actor is trying to leverage a capability in Windows Subsystem for Linux (WSL) to squirm into an IT environment. WSL runs a Linux environment within Windows, allowing the use of Linux command-line tools without the overhead of a virtual machine. Among those who take advantage of it are application developers, who use it as a convenient method for pulling in open-source software.
But in a column the company said it has recently discovered malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian Linux operating system. “These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls,” researchers said. “While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing.”
“To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads,” they add.
Researchers admit because they have identified a limited number of samples with only one publicly routable IP address, the activity is “quite limited in scope or potentially still in development.”
That one IP address targeted organizations in Ecuador and France on ephemeral ports between 39000 – 48000 in late June and early July. It could have been an actor testing this new capability from a VPN or proxy node, researchers speculate. “With broader industry detection of this technique, we suspect additional activity will be uncovered,” they add.
Mike Benjamin, Lumen’s vice president of product security and head of its Black Lotus Labs team told SC Magazine that there isn’t a vulnerability in WSL, and it is not up to Microsoft to issue a fix. “This is a threat actor abusing a legitimate application,” he was quoted as saying.
Lumen advises IT defenders who have enabled WSL to follow Microsoft recommendations and ensure proper logging in order to detect this type of tradecraft.