{"id":3186,"date":"2021-09-17T18:52:14","date_gmt":"2021-09-17T13:22:14","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3186"},"modified":"2021-09-17T18:52:16","modified_gmt":"2021-09-17T13:22:16","slug":"new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/","title":{"rendered":"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks"},"content":{"rendered":"\n<p><p style=\"text-align: justify;\">Security investigators have found the malicious Linux binaries generated for the Windows Subsystem for Linux (WSL), indicating that attackers are trying out new methods to negotiate Windows machines. The searches indicated that the threat actors are analyzing new methods of attacks and are focusing their attention on WSL to avoid detection.<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Utilizing WSL to Evade Detection<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">The initial samples targeting the WSL surroundings were founded in early May and continued to come every two to three weeks until August 22. They act as loaders for the WSL environment and enjoy very low assessments on public file scanning services.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">In the recent report, security investigators at Lumen\u2019s Black Lotus Labs say that the malicious files either have the payload embedded or fetch it from a remote server. The next step is to insert the Trojan into a running process utilizing Windows API calls, a tactic that is neither advance nor sophisticated.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">From the small number of samples identified, only one came with a publicly routable IP address, hinting that threat actors are testing the use of WSL to install malware on Windows. The malicious files rely mainly on Python 3 for carrying out their tasks and are packaged as an ELF executable for Debian using PyInstaller.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cAs the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don\u2019t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality.\u201d<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Less than a month ago, one of the malicious Linux files was detected by just one antivirus engine on VirusTotal. Refreshing the scan on another sample showed that it went completely undetected by the engines on the scanning service.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"452\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-image1-1024x452.jpg\" alt=\"New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-image1\" class=\"wp-image-3188\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-image1-1024x452.jpg 1024w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-image1-300x132.jpg 300w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-image1-768x339.jpg 768w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-image1.jpg 1236w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Variants are in PowerShell and Python<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">One of the variants, written absolutely in Python 3, does not use any Windows API and seems to be the first trial at a loader for WSL. It utilizes standard Python libraries, which makes it compatible with both Windows and Linux.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">The investigators discover in a test sample code that prints \u201cHello Sanya\u201d in Russian. All but one file associated with this sample contained local IP addresses, while the public IP pointed to 185.63.90.137, already offline when the investigators tried to grab the payload.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Another \u201cELF to Windows\u201d loader variant relied on PowerShell to inject and execute the shellcode. One of these samples used Python to call functions that killed the running antivirus solution, established persistence on the system, and run a PowerShell script every 20 seconds.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Based on inequalities observed when analyzing several samples, the researchers believe that the code is still being developed, although in the final stage. The limited clarity from the public IP address indicates activity restricted to targets in Ecuador and France between late June and early July.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Black Lotus Labs estimates that the WSL malware loaders are the production of a threat actor testing the method from a VPN or proxy node. Microsoft introduced Windows Subsystem for Linux in April 2016. In September 2017, when WSL was freshly out of beta, researchers at Check Point demonstrated an attack they called Bashware where WSL could be abused to hide malicious code from security products.&nbsp; &nbsp; &nbsp; &nbsp;<strong>&nbsp;<\/strong><\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">The report of Lumen\u2019s Black Lotus Labs facilitates indicators of negotiates affiliated with the examined campaign to help supporters create exposure rules. For file hashes and data on this threat actor\u2019s wider activity.&nbsp; &nbsp;&nbsp;<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security investigators have found the malicious Linux binaries generated for the Windows Subsystem for Linux (WSL), indicating that attackers are trying out new methods to negotiate Windows machines. The searches indicated that the threat actors are analyzing new methods of attacks and are focusing their attention on WSL to avoid detection. Utilizing WSL to Evade [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3189,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Security investigators have found the malicious Linux binaries generated for the Windows Subsystem for Linux (WSL), indicating that attackers are trying out new methods to negotiate Windows machines. The searches indicated that the threat actors are analyzing new methods of attacks and are focusing their attention on WSL to avoid detection. Utilizing WSL to Evade [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-17T13:22:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-17T13:22:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks\",\"datePublished\":\"2021-09-17T13:22:14+00:00\",\"dateModified\":\"2021-09-17T13:22:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/\"},\"wordCount\":569,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/\",\"url\":\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/\",\"name\":\"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-09-17T13:22:14+00:00\",\"dateModified\":\"2021-09-17T13:22:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/","og_locale":"en_US","og_type":"article","og_title":"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks - Xiarch Solutions Private Limited","og_description":"Security investigators have found the malicious Linux binaries generated for the Windows Subsystem for Linux (WSL), indicating that attackers are trying out new methods to negotiate Windows machines. The searches indicated that the threat actors are analyzing new methods of attacks and are focusing their attention on WSL to avoid detection. Utilizing WSL to Evade [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-09-17T13:22:14+00:00","article_modified_time":"2021-09-17T13:22:16+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/New-Malware-Utilizes-Windows-Subsystem-for-Linux-for-Crafty-Attacks-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks","datePublished":"2021-09-17T13:22:14+00:00","dateModified":"2021-09-17T13:22:16+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/"},"wordCount":569,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/","url":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/","name":"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-09-17T13:22:14+00:00","dateModified":"2021-09-17T13:22:16+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/new-malware-utilizes-windows-subsystem-for-linux-for-crafty-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"New Malware Utilizes Windows Subsystem for Linux for Crafty Attacks"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3186"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3186"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3186\/revisions"}],"predecessor-version":[{"id":3190,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3186\/revisions\/3190"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3189"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}