reports that Windows Subsystem for Linux has been increasingly leveraged by threat actors as an attack surface for new malware
More than a year after they were discovered, malicious Linux binaries for WSL have thrived, with over 100 WSL-based malware samples reported by Black Lotus Labs since last fall.
One of the significant samples leveraged the RAT-via-Telegram Bot open-source tool to enable not only the exfiltration of Google Chrome and Opera authentication cookies, but also command execution and file downloads, according to researchers, which added that the live bot token and chat ID-based malware suggested the availability of active command-and-control capabilities.
The report also showed that the particular sample was only flagged by two of 57 antivirus engines on VirusTotal. Meanwhile, the other WSL-based malware sample was noted to be able to facilitate reverse TCP shell creation on infected devices to allow communication with attackers.
Newly identified WSL-based malware "would prove effective with an active C2 infrastructure in place given the low detection rates of AV providers," said researchers.