Stealth Malware for Linux found in Windows Subsystem for Linux – Read Full report

malware for linux found in windows

New malware for Linux has been found which uses Windows Subsystem for Linux (WSL) to avoid getting caught by the security tools. The black Lotus labs have found this malware and have published a report here.

Microsoft introduced WSL on the Windows 10 anniversary & provided it as an update. WSL allowed users to easily access GNU & Linux tools without dual booting. However, it wasn’t direct access to Linux Kernel until Microsoft launched WSL 2. WSL 2 was a milestone that included the Linux kernel in the WSL. Since then users can easily access Linux systems without dual-booting or using VM environments in their machines.

It was all good but this WSL thing was opening another dimension of the Security risks for the users. And Black Lotus Labs found malware that was attacking PCs & surpassing the security systems checks as well.

How this Malware exactly works?

As per the researchers, the malware was distributed via ELF (Executable and Linkable Format)files. This malware mostly targeted Debian and its derivative distros, As Debian is a very popular distro.

Sometimes malware was receiving a payload for the target machine. Whereas in some cases it was receiving a payload from the remote command & control infrastructure.

Balck Lotus labs added that they have found several versions of ELF files that were infected. One of the malicious ELF was using Windows Powershell in order to access specific windows API. Some of the malicious ELF files were using some common Python libraries which helped the malware to access both Windows & Linux machines.

The famous virus scanner VirusTotal stated that this malware has a detection rate of one or zero, which is scary. Note this was at the time of Black Lotus Labs report was public.

Black Lotus Lab researcher said that “To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads, We hope that by illuminating this distinct tradecraft, we can help drive better detection and alerting before its use becomes more rampant”.

Black Lotus Labs Suggestion to users:

Use Proper Logging in order to avoid this kind of malware attack.

1 Comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.