[MART] - Daily Diary #350 - Malware Using Linux Executables As Windows Loaders

CTAS-MAT ctas-mat at appgate.com
Fri Sep 17 23:21:03 UTC 2021


Hello,

I hope everyone is doing well!

Below is the entry for today.

09/17/2021 - Diary entry #350:


Researchers recently identified malicious samples that target Windows, but are compiled for Linux. These files are executed through the WSL environment in the Windows OS. Most are written in Python 3 - either pure Python or using ctypes - and also in PowerShell. They act as loaders, running embedded or downloaded payloads injected into a running process, using Windows API calls.


WSL is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10 and 11, allowing for functionality such as command-line tools from Linux. However, WSL is not available to all Windows 10 users by default. It needs to be installed manually or by joining the Windows Insider program.


The samples were spotted in the wild since May 2021, and we believe that they are under active development. The payloads executed by these loaders contain threats generated by open-source tools like Meterpreter and MSFVenom, or shellcodes downloaded through C2 servers. While these threats are not complex, new attack vectors are always dangerous because they evade most anti-malware engines.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210917/fcbc1f88/attachment.htm>


More information about the MART mailing list