[TheRecord] Malware samples found trying to hack Windows from its Linux subsystem

Security researchers at Lumen’s Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment.

Researchers claim the samples are the first of their kind, albeit security experts have theorized as far back as 2017 that such attacks would be possible at one point.

Coded in Python, the malware samples were compiled to run on Debian systems.Initial samples were discovered in May, and the last was found last month, in August, with the samples growing in complexity across the year.The malware was packed as an ELF binary that, when opened, acted as a loader to execute a secondary payload.The secondary payload was either embedded within the initial malware sample or was retrieved from a remote server.The secondary payload would be injected into a running Windows process using Windows API calls for what Lumen described as “ELF to Windows binary file execution.”The final stages included running PowerShell or shellcode on the underlying Windows OS.Detection rates on VirusTotal were low for all samples.Black Lotus researchers cited the fact that Linux security software isn’t configured to look for Windows API calls inside Linux binaries as the reason for the low detection.

“Thus far, we have identified a limited number of samples with only one publicly routable IP address, indicating that this activity is quite limited in scope or potentially still in development,” the company said in research published today and shared with The Record.

“Based on Black Lotus Labs visibility on the one routable IP address, this activity appeared to be narrow in scope with targets in Ecuador and France interacting with the malicious IP (185.63.90[.]137) on ephemeral ports between 39000 – 48000 in late June and early July,” the team added.

Researchers believe the malware developer had tested the malware from behind a VPN or proxy node, citing the small number of connections made to that IP address, which hadn’t previously seen regular traffic flow.

Indicators of compromise and file hashes are available in the Black Lotus Labs report.

The post Malware samples found trying to hack Windows from its Linux subsystem appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Ongoing Bitcoin Scams Demonstrate Power of Social Engineering Triggers

All posts, Security Week

Bitcoin scams have soared over the last seven months. The surge started around October 2020, and the scams are continuing today. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Daily NCSC-FI news followup 2020-03-06

Human-operated ransomware attacks: A preventable disaster www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today.. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted […]

Read More

Daily NCSC-FI news followup 2021-01-21

Digitaalinen turvallisuus 2030 -ohjelma kehittää yhteiskunnan kyberhäiriöiden sietokykyä www.huoltovarmuuskeskus.fi/digitaalinen-turvallisuus-2030-ohjelma-kehittaa-yhteiskunnan-kyberhairioiden-sietokykya/ Huoltovarmuuskeskus käynnistää laajan ohjelmakokonaisuuden, jonka tarkoituksena on kehittää yhteiskunnan sietokykyä kyberhäiriöitä vastaan. Digitaalinen turvallisuus 2030 -ohjelman painopisteet ovat kyberhäiriöihin varautuminen, toimintakyky häiriöiden sattuessa, yhteistyö yhteiskunnan ja yritysmaailman eri toimijoiden välillä sekä tulevaisuuden ilmiöiden ennakointi. Ohjelma on osa Suomen kansallisen kyberturvallisuusstrategian toteutusta. Ransomware is now the biggest […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.