Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attackers Use Linux Binaries as Loaders for Windows Malware

Using Microsoft’s Windows Subsystem for Linux (WSL), attackers have leveraged Linux binaries to load payloads into Windows processes, according to researchers with Black Lotus Labs, the threat intelligence unit of tech company Lumen.

Using Microsoft’s Windows Subsystem for Linux (WSL), attackers have leveraged Linux binaries to load payloads into Windows processes, according to researchers with Black Lotus Labs, the threat intelligence unit of tech company Lumen.

As part of the observed attacks, Linux ELF (Executable and Linkable Format) binaries were employed to inject payloads into running processes using Windows API calls. The ELF binaries were written in Python and converted for the Debian platform using PyInstaller.

“While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virustotal, depending on the sample, as of the time of this writing,” Black Lotus says.

Introduced in 2016, WSL allows for the execution of Linux images on Windows machines, in a near-native environment that eliminates the use of virtual machines. A great tool for developers, the feature also opens the door for new types of abuse in malicious attacks, the security researchers warn.

Black Lotus identified only a small number of malicious samples used in these attacks, suggesting that the activity might be under development or simply limited in scope.

The suspicious ELF files were first identified in August, designed to fetch an embedded or remote payload and inject it using Windows APIs, while ensuring the attack remains undetected, as most Windows security tools won’t analyze ELF files.

Two variants of the ELF loader were identified, one written in Python only, and another that used Python to call Windows APIs and to invoke a PowerShell script. Unable to execute on its own, the PowerShell variant appears to be still under development.

In late June and early July, the technique was leveraged in attacks targeting Ecuador and France, interacting with an IP address on ephemeral ports between 39000 and 48000. This, Black Lotus suggests, shows that the adversary might have been only testing the capability, using a VPN or proxy.

Advertisement. Scroll to continue reading.

“With broader industry detection of this technique, we suspect additional activity will be uncovered. […] We advise defenders who’ve enabled WSL [to] ensure proper logging in order to detect this type of tradecraft,” Black Lotus concludes.

Related: Ezuri Memory Loader Abused in Linux Attacks

Related: New Variant of Buer Malware Loader Written in Rust to Evade Detection

Related: Linux Malware Could Run Undetected on Windows: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

Chris Burger has been named Chief Information Security Officer at F5.

Bedrock Security has appointed George Gerchow as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.