CATEGORIES
home News

Windows Subsystem For Linux Malware Feasts On Your Browser Auth Cookies

by Lane BabuderMonday, May 30, 2022, 01:47 PM EDT
ubuntu 22 04 wsl
Another week, another malware attack vector has become increasingly popular amongst malicious software distributors. The vector has existed since late 2021, but it is potentially bad for Linux enthusiasts who use Windows.

Said attack vector that has gained in popularity is a utilization of the Windows Subsystem for Linux. There are a few interesting factors associated with this attack. The first, and somewhat most curious, factor is that the majority of code that can be used for these attacks are open source. Meaning the developers or writers of this malware have consistently or regularly posted up the very code that is used on sources such as BitBucket or GitHub.

The next major factor is that the security risk is not from Windows Subsystem for Linux itself, or Windows itself specifically, but because of interoperability between the two. Utilizing a Remote Attack Tool (RAT) the malware can access the host computer allowing it to create devastation upon the host machine. One particularly popular one is called RAT via Telegram. While by itself it does not necessarily pose a threat as it can be a useful tool, combined with access to a host computer and malware, there is definitely a pretty significant risk factor. That increased risk factor goes hand in hand with the fact that in some cases the Linux shell can access to the Windows shell, with some work.

ubuntu wsl
WSL Installing on Windows

Researchers at Lumen Technologies' Black Lotus Labs have reported a relative increase in the usage of these tools with malware since its discovery in September of 2021. Malware often used alongside this include keyloggers, screen capture software, OS and user system info grabbers, such as username, IP address and OS details. Of course, it can also grab browser auth-cookies, which can be used to emulate users on web sites. All of these can be potentially problematic if in the wrong hands.

Additionally, what has been a really common theme amongst malware writers as of late is that data reporting for their stolen information often just gets sent back to a cloud service provider. Most commonly something like an Amazon Web Services server or utility, likely due to the ability to rapidly deploy, redeploy, and remove. This makes it relatively hard to track and confirm who exactly is actually performing these malicious actions.

shellcode injector resized
Shellcode Injector, source: Lumen Technologies Black Lotus Labs

The advice to most users is to pay close attention to your system monitors for both your Windows and Linux environments. On Linux this is most commonly just called SysMon. You can also keep a close eye on your networking behavior, as if you see any data going somewhere you're not necessarily expecting you may have a risk of infection from this malware.
Tags:  Linux, security, Windows, wsl, wsl2
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment