Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attackers Use Linux Binaries as Loaders for Windows Malware

Using Microsoft’s Windows Subsystem for Linux (WSL), attackers have leveraged Linux binaries to load payloads into Windows processes, according to researchers with Black Lotus Labs, the threat intelligence unit of tech company Lumen.

Using Microsoft’s Windows Subsystem for Linux (WSL), attackers have leveraged Linux binaries to load payloads into Windows processes, according to researchers with Black Lotus Labs, the threat intelligence unit of tech company Lumen.

As part of the observed attacks, Linux ELF (Executable and Linkable Format) binaries were employed to inject payloads into running processes using Windows API calls. The ELF binaries were written in Python and converted for the Debian platform using PyInstaller.

“While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virustotal, depending on the sample, as of the time of this writing,” Black Lotus says.

Introduced in 2016, WSL allows for the execution of Linux images on Windows machines, in a near-native environment that eliminates the use of virtual machines. A great tool for developers, the feature also opens the door for new types of abuse in malicious attacks, the security researchers warn.

Black Lotus identified only a small number of malicious samples used in these attacks, suggesting that the activity might be under development or simply limited in scope.

The suspicious ELF files were first identified in August, designed to fetch an embedded or remote payload and inject it using Windows APIs, while ensuring the attack remains undetected, as most Windows security tools won’t analyze ELF files.

Two variants of the ELF loader were identified, one written in Python only, and another that used Python to call Windows APIs and to invoke a PowerShell script. Unable to execute on its own, the PowerShell variant appears to be still under development.

In late June and early July, the technique was leveraged in attacks targeting Ecuador and France, interacting with an IP address on ephemeral ports between 39000 and 48000. This, Black Lotus suggests, shows that the adversary might have been only testing the capability, using a VPN or proxy.

Advertisement. Scroll to continue reading.

“With broader industry detection of this technique, we suspect additional activity will be uncovered. […] We advise defenders who’ve enabled WSL [to] ensure proper logging in order to detect this type of tradecraft,” Black Lotus concludes.

Related: Ezuri Memory Loader Abused in Linux Attacks

Related: New Variant of Buer Malware Loader Written in Rust to Evade Detection

Related: Linux Malware Could Run Undetected on Windows: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.