Cybercriminals are attacking Windows processes with Linux executables by abusing Microsoft’s Windows Subsystem for Linux (WSL) — a tactic researchers previously warned could be a way for adversaries to infect victims with malware while generating low detection rates from various AV and anti-malware softwares.
Researchers from Black Lotus Labs who discovered the campaign have claimed in a new company blog post that this is the first known instance of this technique being used in the wild since Microsoft introduced WSL in 2016.
Though the company found only a small number of samples, “we suspect there could be additional samples currently being used in the wild,” said Mike Benjamin, Lumen’s vice president of product security and head of the Black Lotus Labs team. “We hope that by illuminating this distinct tradecraft, we can help others detect similar activity and alert the security community before its use becomes more rampant.”
According to a Microsoft FAQ page, WSL is a Windows 10 feature that “enables you to run native Linux command-line tools directly on Windows, alongside your traditional Windows desktop and apps.” But while the ability to natively run Linux operating system executables represents a convenience for some, it also expands the attack surface for adversaries to explore and exploit.
This past August, Black Lotus Labs discovered the threat upon uncovering numerous malicious downloaders that were largely written in Python and compiled in the Linux binary format (ELF) for the Debian operating system. These loaders, which in some cases date as far back as May 2021, are specifically designed for the WSL environment, and deliver secondary payloads either by extracting the embedded payload from within the sample itself or by retrieving it from a remote server and then injecting it into a running process using Windows API calls using ctypes (a foreign function library for Python) and then invoking a PowerShell script.
Payloads were likely generated from open-source tools like MSFVenom and Meterpreter, but other malware programs such as Cobalt Strike could also conceivably be introduced through this method, the report notes.
“We suspect that actor was searching for a mechanism to remotely retain access to an infected machine. In that regard, they were successful because the Meterpreter sample initially had a very low detection rate,” said Benjamin. “Unfortunately, we are unable to speculate their ultimate motivations at this time; however, if we uncover more activity related to this cluster, we will inform the community of our findings.”
In 2017, researchers at Checkpoint Software Technologies warned of the possibility of attackers using this technique which the company termed “Bashware” (because WSL makes the bash terminal available for Windows OS users).
Checkpoint had tested the technique on many of the leading security products available at the time and was able to bypass all of them.
Regarding WSL, “it seems the industry has still not adapted to the existence of this strange hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” the Checkpoint blog post explained. “This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”
Apparently little has changed since in that regard.
“While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in VirusTotal, depending on the sample, as of the time of this writing,” Black Lotus Labs wrote in its blog post. “As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality.”
Benjamin noted that the evasion of AV programs is not due to a flaw in WSL, and it is not up to Microsoft to issue any kind of patch or fix. “This is a threat actor abusing a legitimate application,” he explained. “As the boundaries between operating systems continue to disappear, threat actors will take advantage of new attack surfaces.”
It’s system administrators of organizations using WSL who must take action. “Those who have enabled WSL should check their system logs to ensure proper configuration and to detect non-Windows malware,” Benjamin told SC Media. “Our blog contains a link to the MSDN documentation, which has the instructions for those who wish to take this additional step.”
Additionally, the developers of security solutions may also have to account for this latest threat. “We suspect that EDR products will need to take the additional steps of detecting and analyzing events from WSL to detect and protect against this type of attack,” Benjamin added.
Earlier this week, researchers from Intezer reported discovering a new Linux version of the often abused red-team Windows hacking tool Cobalt Strike Beacon that was coded from scratch and has so far eluded all VirusTotal antivirus detections.