The Windows subsystem (WSL) for Linux is becoming a breeding ground for malware, say cybersecurity researchers.
Although WSL-based malware is not particularly new (marked early September 2021), it is slowly gaining popularity among cybercriminals. I’m talking Blipping computerLumen Technologies’ cybersecurity researchers say they have tracked more than 100 samples since then.
Sample varies in complexity, as well as in the features offered. While some are relatively simple, others enable the threat actor to remotely access the device, run arbitrary code, steal authentication cookies from certain browsers, or download files.
Low detection rate
Some variants are designed as Stage-One malware, which allows threatening actors to take screenshots and get information about the system, which helps them determine the next steps in the compromise, the researchers said. Others are built as tools of pure espionage.
The worst part is that these malware variants are relatively difficult to identify, although they are usually based on code available to the general public. In fact, Black Lotus Labs of Lumen Technologies recently discovered that among the 57 antivirus solutions (Opens in new tab) Tested, only two flagged this variant as malicious.
All of these things – more features, perseverance, lower detection rates – make WSL-based malware a real threat, the researchers concluded, especially with the active C2 server infrastructure.
Those who are interested in protecting themselves from WSL-based malware, Blipping computer Emphasis needs to be placed on closely monitoring system activity (for example, SysMon), and detect suspicious activity.
WSL first appeared in 2016 with the Windows 10 Anniversary Update. It was described as a new way to access GNU and Linux tools without the need for two separate operating systems. Although at first it did not provide full access to the Linux kernel, it was made possible in mid-2019, when WSL 2 was released.