New Python Based Malware Attack Windows Subsystem for Linux To Evade Detection

The Lumen Black Lotus Labs has identified Linux binaries or Python Based Malware built for the Windows Subsystem for Linux (WSL) to evade detection. The threat actors are seeking new techniques to stealthily compromise Windows computers.

The targets of unknown attackers were found in Ecuador and France and communicated with a malicious IP address (185.63.90 [.] 137) in late June and early July this year. 

Not only this but at the same time, there were first samples that were identified by the researchers at the beginning of May, and it has aimed at WSL. The result of the malicious Linux binaries implies that threat actors are trying all new methods to target Windows systems and circumvent detection.

Technical Analysis

The samples share related tradecraft and are arranged with Python 3.9, however, all these samples are using PyInstaller for the Debian operating system version 8.3.0-6. 

Moreover, there are also some of the samples that included lightweight payloads which, can easily generate from open-source tools like MSFVenom or Meterpreter. While there are some other cases, where the files tried to download shellcode from a remote C2.

Python Variant

Here, the variant was written in Python, and it does not use any Windows API that resembled to be one of the newest emphasis of the loader file. 

But, it also has an important feature, that this loader used standard Python libraries, as they desire to make a cross-compatible to operate on both Linux as well as in Windows machines. 

Not only this but during the investigation, the cybersecurity researchers have identified one test sample where the script copies the words “Пивет Саня” which alters from Russian to the simple “Hello Sanya,” symbolizing that the author has some comprehension with the language.

Even some other malicious files were also discovered, and all of them interacted with the same IP address and in the same timeframe as the samples comprising Meterpreter payloads.

WSL Variant Using PowerShell And Ctypes

The ELF to Windows binary file execution way was quite altered in multiple files, but, there were some samples, in which the PowerShell was employed to inject and administer all the shellcode; in others, Python ctypes were used to determine the Windows APIs.

The threat actors are taking full advantage of these new attacking methods, therefore the security analysts have advised defenders who’ve invested in WSL to ensure proper logging in order to disclose this type of tradecraft.

Furthermore, the Black Lotus Labs proceeds to keep a check on the activity of the threat actors to identify and obstruct similar accommodations and encourage other companies to get a brief knowledge about this kind of campaigns attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.