[German]Security researchers from Lumen's Black Lotus Labs have come across several malware samples that can infect the Windows subsystem for Linux and then switch to the native Windows environment. Experts had outlined this scenario back in 2017. Thus, the Microsoft WSL implementation creates a new attack surface for malware developers. Here's some information on the topic.
Advertising
I stumbled across this on Twitter a few hours ago because a Black Lotus Labs employee had posted this tweet.
Under the heading "It's All No Longer Theory Now," security researchers have written up the findings in this blog post.
WSL announced by MS 2016
I remember April 2016 when Microsoft announced the Windows Subsystem for Linux (WSL). WSL is an additional feature that runs a Linux image in a near-native environment on Windows, enabling features like Linux command-line tools without the overhead of a virtual machine. This new feature has been welcomed by developers as it provides the freedom to use open source software, but it also presents – and is being used by – a new attack surface for threats. Security researchers had already pointed out this theoretical possibility in 2017.
WSL malware found
In early August, Black Lotus Labs researchers discovered a number of suspicious ELF files compiled for Debian Linux as part of a search for malware. The files were written in Python 3 and converted to an ELF executable using PyInstaller. The Python code acted as a loader, using various Windows APIs that allowed a remote file to be retrieved and then injected into a running process. In this way, an actor was able to gain a foothold on an infected machine undetected.
Advertising
A quick check on VirusTotal showed most virus scanners were designed for endpoints, for Windows systems, and did not have signatures to analyze ELF files in the WSL environment. The researchers were surprised to find that virus scanners can often detect non-WSL agents with similar capabilities.
During further analysis and search, we discovered two variants of the ELF loader approach: the first variant was written purely in Python, while the second variant used Python mainly to call various Windows APIs with ctypes and invoke a PowerShell script.
Security researchers suspect that the PowerShell variant is still under development. Or, the variant may have been developed for a specific environment, as it did not run on its own in the security researchers' test environment. However, the research indicates that this approach is viable, as the security researchers were able to successfully create a proof of concept (PoC) that called the Windows APIs from the WSL subsystem. The technical details can be found in this blog post.
