Malware samples found trying to hack Windows from its Linux subsystem
Security researchers at Lumen’s Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment.
Researchers claim the samples are the first of their kind, albeit security experts have theorized as far back as 2017 that such attacks would be possible at one point.
- Coded in Python, the malware samples were compiled to run on Debian systems.
- Initial samples were discovered in May, and the last was found last month, in August, with the samples growing in complexity across the year.
- The malware was packed as an ELF binary that, when opened, acted as a loader to execute a secondary payload.
- The secondary payload was either embedded within the initial malware sample or was retrieved from a remote server.
- The secondary payload would be injected into a running Windows process using Windows API calls for what Lumen described as “ELF to Windows binary file execution.”
- The final stages included running PowerShell or shellcode on the underlying Windows OS.
- Detection rates on VirusTotal were low for all samples.
- Black Lotus researchers cited the fact that Linux security software isn’t configured to look for Windows API calls inside Linux binaries as the reason for the low detection.
“Thus far, we have identified a limited number of samples with only one publicly routable IP address, indicating that this activity is quite limited in scope or potentially still in development,” the company said in research published today and shared with The Record.
“Based on Black Lotus Labs visibility on the one routable IP address, this activity appeared to be narrow in scope with targets in Ecuador and France interacting with the malicious IP (185.63.90[.]137) on ephemeral ports between 39000 – 48000 in late June and early July,” the team added.
Researchers believe the malware developer had tested the malware from behind a VPN or proxy node, citing the small number of connections made to that IP address, which hadn’t previously seen regular traffic flow.
Indicators of compromise and file hashes are available in the Black Lotus Labs report.