[TheRecord] Malware samples found trying to hack Windows from its Linux subsystem

Security researchers at Lumen’s Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment.

Researchers claim the samples are the first of their kind, albeit security experts have theorized as far back as 2017 that such attacks would be possible at one point.

Coded in Python, the malware samples were compiled to run on Debian systems.Initial samples were discovered in May, and the last was found last month, in August, with the samples growing in complexity across the year.The malware was packed as an ELF binary that, when opened, acted as a loader to execute a secondary payload.The secondary payload was either embedded within the initial malware sample or was retrieved from a remote server.The secondary payload would be injected into a running Windows process using Windows API calls for what Lumen described as “ELF to Windows binary file execution.”The final stages included running PowerShell or shellcode on the underlying Windows OS.Detection rates on VirusTotal were low for all samples.Black Lotus researchers cited the fact that Linux security software isn’t configured to look for Windows API calls inside Linux binaries as the reason for the low detection.

“Thus far, we have identified a limited number of samples with only one publicly routable IP address, indicating that this activity is quite limited in scope or potentially still in development,” the company said in research published today and shared with The Record.

“Based on Black Lotus Labs visibility on the one routable IP address, this activity appeared to be narrow in scope with targets in Ecuador and France interacting with the malicious IP (185.63.90[.]137) on ephemeral ports between 39000 – 48000 in late June and early July,” the team added.

Researchers believe the malware developer had tested the malware from behind a VPN or proxy node, citing the small number of connections made to that IP address, which hadn’t previously seen regular traffic flow.

Indicators of compromise and file hashes are available in the Black Lotus Labs report.

The post Malware samples found trying to hack Windows from its Linux subsystem appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Healthcare and the Other CIA

All posts, Security Week

For IT professionals, the acronym “CIA” refers to the Confidentiality, Integrity and Availability of information, not the Central Intelligence Agency. However, given the current threat level to data security, IT teams may wish they could get a little help from people with intelligence community tradecraft experience.  read more Source: Read More (SecurityWeek RSS Feed)

Read More

[HackerNews] Best Practices to Thwart Business Email Compromise (BEC) Attacks

All posts, HackerNews

Business email compromise (BEC) refers to all types of email attacks that do not have payloads. Although there are numerous types, there are essentially two main mechanisms through which attackers penetrate organizations utilizing BEC techniques, spoofing and account take-over attacks. In a recent study, 71% of organizations acknowledged they had seen a business email compromise (BEC) […]

Read More

[ZDNet] SolarWinds ready to move past breach and help customers manage theirs

All posts, ZDNet

Acknowledging that 2021 was a tough year, SolarWinds CEO says it has bolstered its build model and expanded its systems monitoring capabilities so customers can better manage the complexities of hybrid cloud environments. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.