One of the latest discoveries in the Linux security field reveals that the Windows Subsystem for Linux, shortly known as WSL, has turned into a new attack surface.
Security researchers recently came across a number of malicious files written primarily in Python and compiled in the Linux binary format ELF for Debian. The files acted as loaders running a payload either embedded within the sample or retrieved from a remote server, according to Black Lotus Labs’ discovery. Then, the payload was injected into a running process via Windows API calls.
WSL: a new attack surface for threat actors
“While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing,” Black Lotus Labs’ report noted.
Fortunately, the recently discovered attack surface is limited in scope, which could mean that it is still in development. The researchers have identified a handful of samples with only one publicly routable IP address. It is also highly likely that this is the first instance of threat actors leveraging WSL to install malicious payloads.
More about the malicious ELF files for Debian Linux
As already mentioned, the researchers came across several suspicious ELF files, written in Python and compiled for Debian Linux.
“The Python code acted as a loader by utilizing various Windows APIs which enabled the retrieval of a remote file and then injection into a running process. This tradecraft could allow an actor to gain an undetected foothold on an infected machine,” the report added.
The files had a very low detection on VirusTotal, suggesting that Windows endpoint agents don’t have signatures to analyze ELF files. Furthermore, two variants of the ELF loader were revealed: one entirely written in Python, and another one that used Python to call various Windows APIs via ctypes (a foreign function library for Python) to invoke a PowerShell script.
The researchers believe that the second variant is either undergoing development or has been created for a specific environment. Nonetheless, the approach is definitely viable – the researchers were even able to create a proof-of-concept showing how Windows APIs can call from the WSL subsystem.
Another recent report, created by Trend Micro, focused on the most prevalent vulnerabilities and malware families in the Linux threat landscape. More than 13 million events were identified and flagged from the company’s sensors, and 10 malware families were outlined.