This strange weird world of computing continues to amaze us. From ‘s Microsoft love of all that is open-source to the publication of Edge on Linux , these two worlds – once poles apart and with great feuds between their users – are increasingly mixing.
But you have to be careful to mix things up, especially when you can’t have 100% control between the two cohabiting environments.
This is the case of what has been discovered in recent days by, which by studying a series of cases has brought to light what was thought to be only theory until now, or a new malware for Windows in the form of a Linux executable.
Taking advantage of the now famous Windows Subsystem for Linux , the Redmond company’s system launched in 2016 and revised in WSL2 in 2019 and which brought a Linux kernel into the famous WIndows system, this malware is distributed in ELF ( Executable and Linkable) format. Format ) and is meant to run under Debian and derivatives. Considering that perhaps the main distribution used in WSL2 is Ubuntu, the circle comes full circle.
Several variants of this malware have been found, from one written in Python and potentially attacking both Windows and Linux, to one that uses PowerShell to interact with the Windows API. Furthermore, the method of propagation of the payload (i.e. the actual attack code inside the malware) is different, having found executables that contain it directly and others that download it remotely. In short, although the structure of the malware is the same, it is decidedly multifaceted as an attack vector.
To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads […] We hope that by illuminating this distinct tradecraft, we can help drive better detection and alerting before its use becomes more rampant.From what we know, this small group of examples denote the first instance of an actor abusing WSL to install payloads […] We hope that by shedding light on this trend, we can help improve detection and alarm systems before his use become more widespread.
Yes, because this transmission vehicle was chosen precisely because, being in a substrate of the Windows system, this is not currently detected by the various antivirus systems normally used on Windows.
Black Lotus Labs recommends that you enable and monitor the WSL system, if you have it installed, at the time to check for suspicious activity. While waiting for this new attack vehicle to be detected as well.