According to Black Lotus Labs, several malicious files written in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system, has been recently identified targeting WSL. These malicious files act as loaders running a payload that's retrieved from a remote server and then injected into a running process using Windows API calls.
While this approach was not particularly a novelty, but it marks the first instance where threat actors have been found to abuse WSL to install payloads; and using an ELF loader for the WSL environment makes the technique rather evasive to security detection.
How the Malware Evade Detection on Windows Subsystem for Linux?
The researchers at Black Lotus Labs identified a series of samples uploaded every two to three weeks, from as early as May 3, through to August 22, 2021, that target the WSL environment.
And these samples are compiled with Python 3.9 using PyInstaller for the Debian operating system version 8.3.0-6. With some containing lightweight payloads which could have been generated from open-source tools such as MSFVenom or Meterpreter.
While the Meterpreter framework is well known in the industry, that hasn't helped to stop cybercrime and ransomware groups from using it in the past. And it would be rather easy for the operator to swap out the Meterpreter payload for more advanced tools such as Cobalt Strike or a custom agent.
The ELF to Windows binary file execution path was different in various files, for some, PowerShell was used to inject and execute the shellcode; and for others, Python ctypes was used to resolve Windows APIs. The malicious files attempted to download shellcode from a remote C2 and uses ctypes to call Windows APIs, in addition to employing PowerShell to perform subsequent actions on the host machine.
As the boundaries between operating systems continue to narrow down, threat actors will definitely take advantage of the new attack surfaces. Therefore, it is advised that users should enable WSL to ensure proper logging in order to detect this type of threats.
No comments