Malware WSL appeared with the ability to steal browser authentication cookies

Hackers are showing particular interest in Windows Subsystem for Linux (WSL). When developing malware, hackers are seeing WSL as a new attack surface. Malware attacking via WSL has advanced configuration with the ability to spy or download and install additional malicious modules.

As the name suggests, WSL allows running Linux binaries natively on Windows in a Linux kernel emulation environment.

Based on newly obtained samples, the researchers found that malware targeting WSL is based on open source code that routes communication through the messaging service Telegram and allows remote attackers to gain access to the compromised system. .

Malware WSL appeared with the ability to steal browser authentication cookies Picture 1

The first WSL malware was discovered about a year ago. Since then, their number has continuously increased. Although based on publicly available source code, the ability to detect WSL malware is very low.

Among the samples analyzed, the most notable was a piece of malware that could act as a remote access tool (RAT) or set up a reverse shell on an infected host.

One of the more recent models called RAT-via-Telegram is based on the open source tool Pythoon. It has additional functions to steal authentication cookies from Google Chrome and Opera browsers, run commands or download files.

Black Lotus Labs researchers shared that this malware comes with bot token and live chat ID. This shows that it depends on a dynamic command and control mechanism.

Additional functions of this variant include taking screenshots, obtaining user and system information (username, IP address.) to help attackers easily determine what kind of malicious code they should use in next step. Only 2 of the 57 tools on Virus Total flag this malware as malicious.

A second recently discovered WSL malware installs a reverse TCP shell on the infected computer to communicate with attackers. Looking at the code, the researchers found that it used an IP address from Amazon Web Services that was previously used by several entities.

Both of these malware can be used for spying purposes and can download files that extend their functionality.

Over the years, malware creators have improved their skills and are able to create malware that can work on both Windows and Linux. Besides, malware can now simultaneously upload or download files or execute attacker commands.

According to researchers, malware will grow more and more sophisticated. Therefore, to protect themselves or their business, users need to closely monitor system activity (e.g. SysMon) to identify suspicious activity and investigate commands.

David Pac

Update 31 May 2022