Malware samples found trying to hack Windows from its Linux subsystem

Security researchers at Lumen’s Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment.

Researchers claim the samples are the first of their kind, albeit security experts have theorized as far back as 2017 that such attacks would be possible at one point.

  • Coded in Python, the malware samples were compiled to run on Debian systems.
  • Initial samples were discovered in May, and the last was found last month, in August, with the samples growing in complexity across the year.
  • The malware was packed as an ELF binary that, when opened, acted as a loader to execute a secondary payload.
  • The secondary payload was either embedded within the initial malware sample or was retrieved from a remote server.
  • The secondary payload would be injected into a running Windows process using Windows API calls for what Lumen described as “ELF to Windows binary file execution.”
  • The final stages included running PowerShell or shellcode on the underlying Windows OS.
  • Detection rates on VirusTotal were low for all samples.
  • Black Lotus researchers cited the fact that Linux security software isn’t configured to look for Windows API calls inside Linux binaries as the reason for the low detection.

“Thus far, we have identified a limited number of samples with only one publicly routable IP address, indicating that this activity is quite limited in scope or potentially still in development,” the company said in research published today and shared with The Record.

“Based on Black Lotus Labs visibility on the one routable IP address, this activity appeared to be narrow in scope with targets in Ecuador and France interacting with the malicious IP (185.63.90[.]137) on ephemeral ports between 39000 – 48000 in late June and early July,” the team added.

Researchers believe the malware developer had tested the malware from behind a VPN or proxy node, citing the small number of connections made to that IP address, which hadn’t previously seen regular traffic flow.

Indicators of compromise and file hashes are available in the Black Lotus Labs report.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Malicious npm packages caught stealing Discord tokens, environment variables

The Node Package Manager (npm) security team has removed 17 JavaScript libraries this week that…

13 hours ago

Senate Armed Services advances DoD CIO nominee

The Senate Armed Services Committee on Wednesday advanced President Joe Biden’s nominee for Defense Department…

19 hours ago

Confluence and GitLab servers targeted by new ransomware strain

Over the past few days, a ransomware group has leveraged exploits for recently disclosed vulnerabilities…

20 hours ago

New German government coalition promises not to buy exploits

The three political parties set to form the new German government have agreed to stop…

1 day ago

Democrats accuse GOP of scuttling incident reporting in massive defense bill

Congressional Democrats on Tuesday blamed Republicans for axing language in the annual defense policy bill…

2 days ago

Canadian police arrest Ottawa resident for ransomware attacks

Canadian police have detained an Ottawa resident for his alleged role in orchestrating ransomware attacks…

2 days ago