Hackers could turn Windows Subsystem for Linux into a secret weapon

Windows Subsystem for Linux (WSL) is becoming a breeding ground for malware, cybersecurity researchers are saying.

While WSL-based malware is not particularly new (spotted as early as September 2021), it’s been rising in popularity among cybercriminals of late. Speaking to BleepingComputer, cybersecurity researchers from Lumen Technologies said they’ve managed to track more than 100 samples since then.

The samples vary in complexity, as well as features on offer. While some are relatively simple, others enable threat actors to remotely access devices, run arbitrary code, steal authentication cookies from specific browsers, or download files. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Low detection rates

Some variants are designed as stage-one malware, allowing threat actors to take screenshots and obtain system information, which help them determine the next steps in compromise, the researchers further stated. Others are built as pure espionage tools.

The worst part is that these malware variants are relatively difficult to spot, even though they’re usually based on code that’s available to the general public. In fact, Lumen Technologies’ Black Lotus Labs recently discovered that out of 57 antivirus solutions put to the test, only two flagged these variants as malicious.

All of these things – more features, persistence, low detection rates – make WSL-based malware a real threat, the researchers concluded, especially with active C2 server infrastructure in place. 

Those interested in keeping safe from WSL-based malware, BleepingComputer emphasized, need to closely monitor system activity (SysMon, for example), and look for suspicious happenings. 

WSL was first showcased in 2016, together with the Windows 10 Anniversary Update. It was described as a new way to access GNU and Linux tools, without the need for two separate operating systems. While at first it didn’t provide full access to the Linux kernel, this was made possible in mid-2019, when WSL 2 was released. 

Via BleepingComputer