IT administrators are warned of a new threat that abuses the ability of the Windows operating system to run Linux binaries to download malware.
The warning comes from researchers at Lumen, who say at least one threat actor is trying to take advantage of a Windows Subsystem for Linux (WSL) capability to sneak into a computing environment. WSL runs a Linux environment within Windows, allowing the use of Linux command line tools without the overhead of a virtual machine. Among those who benefit from it are application developers, who use it as a convenient method to integrate open source software.
But in a column, the company said it recently discovered malicious files written primarily in Python and compiled in the Linux ELF (Executable and Linkable Format) binary format for the Debian Linux operating system. “These files acted as loaders running a payload that was either built into the sample or fetched from a remote server and then injected into an ongoing process using Windows API calls,” the researchers said. âWhile this approach is not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, at the time. of the writing of this article. “
âTo our knowledge, this small set of samples points to the first case of an actor abusing WSL to install subsequent payloads,â they add.
The researchers admit that, because they identified a limited number of samples with a single publicly routable IP address, the activity is “quite limited in scope or potentially still in development.”
This IP address targeted organizations in Ecuador and France on ephemeral ports between 39,000 and 48,000 at the end of June and the beginning of July. It could have been a player testing this new capability from a VPN or proxy node, researchers speculate. “With wider detection of this technique by industry, we suspect that additional activity will be discovered,” they add.
Mike Benjamin, vice president of product security at Lumen and head of his Black Lotus Labs team, told SC Magazine that there was no vulnerability in WSL and that it was not Microsoft’s job to publish a fix. âThis is a threatening actor who abuses a legitimate application,â he said.
Lumen advises the IT people who allowed WSL to follow Microsoft’s recommendations and ensure proper logging to detect this type of trade.