Attackers Use Linux Binaries as Loaders for Windows Malware
Using Microsoft’s Windows Subsystem for Linux (WSL), attackers have leveraged Linux binaries to load payloads into Windows processes, according to researchers with Black Lotus Labs, the threat intelligence unit of tech company Lumen.
As part of the observed attacks, Linux ELF (Executable and Linkable Format) binaries were employed to inject payloads into running processes using Windows API calls. The ELF binaries were written in Python and converted for the Debian platform using PyInstaller.
“While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virustotal, depending on the sample, as of the time of this writing,” Black Lotus says.
Introduced in 2016, WSL allows for the execution of Linux images on Windows machines, in a near-native environment that eliminates the use of virtual machines. A great tool for developers, the feature also opens the door for new types of abuse in malicious attacks, the security researchers warn.
Black Lotus identified only a small number of malicious samples used in these attacks, suggesting that the activity might be under development or simply limited in scope.
The suspicious ELF files were first identified in August, designed to fetch an embedded or remote payload and inject it using Windows APIs, while ensuring the attack remains undetected, as most Windows security tools won’t analyze ELF files.
Two variants of the ELF loader were identified, one written in Python only, and another that used Python to call Windows APIs and to invoke a PowerShell script. Unable to execute on its own, the PowerShell variant appears to be still under development.
In late June and early July, the technique was leveraged in attacks targeting Ecuador and France, interacting with an IP address on ephemeral ports between 39000 and 48000. This, Black Lotus suggests, shows that the adversary might have been only testing the capability, using a VPN or proxy.
“With broader industry detection of this technique, we suspect additional activity will be uncovered. […] We advise defenders who’ve enabled WSL [to] ensure proper logging in order to detect this type of tradecraft,” Black Lotus concludes.