Home » Technology » Hackers target the Windows subsystem for Linux

Hackers target the Windows subsystem for Linux

Hackers are showing increasing interest in the Windows Subsystem for Linux (WSL) as a target. Security researchers discovered new malware to match – some used to track down users and steal data, others to load additional malware.

According to a new report from Bleeping Computer Online Magazine diamond. The Windows subsystem for Linux is now becoming a “popular” target for hackers, especially since WSL natively runs Linux binaries on Windows in an environment that emulates the Linux kernel. Recently discovered WSL-based malware samples are based on open source code that directs communication through the Telegram messaging service and gives the threat actor remote access to the compromised system. Once accessed, further malware can be loaded onto the PC.

The number of such attacks has been steadily increasing since September 2021. However, a problem with this is that they are often not recognized at all – the security researchers at Black Lotus Labs fear that there is quite a gray area here. Black Lotus Labs explained that they have detected more than 100 examples of WSL-based malware since last fall.

Some are more advanced than others and therefore more dangerous. Of the samples analyzed so far, two are particularly noteworthy in that they can act as a RAT (Remote Access Tool) tool or set up a reverse shell on the infected host.

Using Spy tools for login theft

Additional capabilities of the variant include taking screenshots and collecting user and system information (username, IP address, OS version), which the attacker can use to determine which malware or utilities to use in the following phase of the compromise.

The resulting multi-stage attacks often go unnoticed until it’s too late. According to Black Lotus Labs, the malicious code samples used were classified as malicious only by two of the 57 antivirus programs on Virus Total.

Black Lotus Labs has warned in the past that threat actors are investigating WSL for their purposes. How far this has progressed is evidenced by the low detection rates of AV providers. The general recommendation for defense against WSL-based threats is to closely monitor system activity, using tools such as SysMon to quickly identify suspicious activity.