New Windows Subsystem for Linux malware steals browser authentication cookies
Hackers are showing increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they create new malware, with the most advanced samples suitable for spying and downloading modules additional malware.
As the feature name suggests, WSL allows running native Linux binaries on Windows in an environment that emulates the Linux kernel.
Recently discovered WSL-based malware samples rely on open-source code that routes communication through the Telegram messaging service and gives the threat actor remote access to the compromised system.
RAT and shells
Malicious Linux binaries for WSL were first discovered over a year ago, and researchers from Lumen Technologies’ Black Lotus Labs published a report on this new type of threat in September 2021.
Since then, their numbers have grown steadily, with all variants enjoying low detection rates, despite being based on publicly available code.
Black Lotus Labs researchers told BleepingComputer this week that they have tracked more than 100 WSL-based malware samples since last fall.
Some are more advanced than others, the researchers said, adding that threat actors “show an ongoing interest” in the malware they track.
Among the analyzed samples, two of them are more notable due to their abilities to function as a remote access tool (RAT) or to establish a reverse shell on the infected host.
Both samples were discovered after the Black Lotus Labs report in March who warned that WSL would become a favored attacking surface for opponents of varying levels of technical skill.
One of the more recent examples relied on an open-source Python-based tool called RAT-via-Telegram Bot which allows to control Telegram and comes with functions to steal authentication cookies from Google Chrome and Opera web browsers, execute commands or download files.
Black Lotus Labs researchers told BleepingComputer that the malware came with a live bot token and a chat ID, indicating an active command and control mechanism.
Additional functions of this variant include taking screenshots and entering user and system information (username, IP address, OS version), which helps the attacker determine what malware or utilities it can use in the next phase of the compromise.
When Black Lotus Labs analyzed the sample, only two out of 57 antivirus engines on Virus Total flagged it as malicious, the researchers noted.
A second, recently discovered WSL-based malware sample was created to set up a reverse TCP shell on the infected machine to communicate with the attacker.
Upon examining the code, researchers noticed that it used an Amazon Web Services IP address that had been used previously by multiple entities.
One peculiarity the researchers observed with this sample was that it displayed a pop-up message in Turkish, which translated to: “You’re screwed and there’s not much to do.”
However, neither the pop-up message, which could indicate Turkish-speaking targets, nor the code provided any clue as to the author of the malware.
Both malware could be used for spying purposes and can download files that would extend their functionality, the researchers said.
WSL-Based Malware Takes Off
Black Lotus Labs has warned in the past that threat actors are exploring the WSL vector more deeply, although many analyzed samples “did not yet appear to be fully functional due to the use of internal or non-routable IP addresses.” .
Nevertheless, malware authors are progressing and have already created variants that work on both Windows and Linux and can upload and download files, or execute commands from attackers.
Unlike previous WSL-based malware, the latest samples analyzed by Black Lotus Labs “would be effective with an active C2 [command and control] infrastructure in place given the low detection rates of audiovisual providers. »
The general recommendation for defending against WSL-based threats is to closely monitor system activity (e.g. SysMon) to determine suspicious activity and investigate orders.