Windows Subsystem for Linux (WSL) is becoming a breeding ground for malware, cybersecurity researchers are saying.
While WSL-based malware is not particularly new (spotted as early as September 2021), it’s been rising in popularity among cybercriminals of late. Speaking to BleepingComputer, cybersecurity researchers from Lumen Technologies said they’ve managed to track more than 100 samples since then.
The samples vary in complexity, as well as features on offer. While some are relatively simple, others enable threat actors to remotely access devices, run arbitrary code, steal authentication cookies from specific browsers, or download files.
Low detection rates
Some variants are designed as stage-one malware, allowing threat actors to take screenshots and obtain system information, which help them determine the next steps in compromise, the researchers further stated. Others are built as pure espionage tools.
The worst part is that these malware variants are relatively difficult to spot, even though they’re usually based on code that’s available to the general public. In fact, Lumen Technologies’ Black Lotus Labs recently discovered that out of 57 antivirus solutions (opens in new tab) put to the test, only two flagged these variants as malicious.
All of these things – more features, persistence, low detection rates – make WSL-based malware a real threat, the researchers concluded, especially with active C2 server infrastructure in place.
Those interested in keeping safe from WSL-based malware, BleepingComputer emphasized, need to closely monitor system activity (SysMon, for example), and look for suspicious happenings.
WSL was first showcased in 2016, together with the Windows 10 Anniversary Update. It was described as a new way to access GNU and Linux tools, without the need for two separate operating systems. While at first it didn’t provide full access to the Linux kernel, this was made possible in mid-2019, when WSL 2 was released.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba