Saturday, October 12, 2024
HomeCyber Security NewsNew Windows Subsystem For Linux Malware Steals Credentials & Record Keystrokes

New Windows Subsystem For Linux Malware Steals Credentials & Record Keystrokes

Published on

Malware protection

There has been an increasing amount of interest in targeting the Windows Subsystem for Linux (WSL), due to the fact that they continue to develop new malware, as hackers continue to analyze WSL for potential exploits. 

Having such a sample available for espionage purposes and for the downloading of extra malicious components would be acceptable. By using WSL, native Linux binaries are operated on Windows as if the Linux kernel were emulating the operating system.

It has been discovered that there have been several WSL-based malware samples on the loose that are derived from open-source. The threat actor is able to connect to the compromised system remotely through Telegram, via which they are able to send messages to the compromised system.

- Advertisement - SIEM as a Service

Tools & Modules

Here below we have mentioned all the tools and modules used:-

  • “Keyjeek” Keylogger Utilizing Gmail
  • Shellcode Injector
  • Stub.py Stager
  • “Lee” Agent
  • DiscordRAT
  • Discord Token Grabber
  • Keylogger
  • Telegram-Based Bot
  • Password Dumper Module

Technical Analysis

Security researchers at Lumen Technologies’ Black Lotus Labs have reported that it was almost a year ago that the malicious binaries for WSL were first spotted.

During the past several years, the number of variants has grown steadily, and despite the fact that all of them are based on publicly available code, they suffer from low detection rates.

Since the last fall, more than 100 samples of malware based on WSL have been tracked by Black Lotus Labs researchers. Two of them stand out from the rest due to their abilities to function as RAT or to generate a reverse shell on the infected host, among many other features they possess.

RAT-via-Telegram Bot was one of the most recent examples of using Python-based open-source software to provide it with the control. 

The bot, which is available for the Google Chrome and Opera web browsers, allows for manual control of Telegram, the ability to steal authentication cookies, as well as the ability to run commands and download files with ease.

Live bot tokens and chat IDs were included in the malware, which indicated that it had an active mechanism of command and control.

The second WSL-based malware sample which has recently been discovered uses a reverse TCP shell to communicate with an attacker on a computer that has been infected with it.

In addition, both malware pieces are capable of downloading files with the purpose of extending their functionality and have the capability to be used for espionage purposes.

When it comes to defending your network against WSL-based threats, the general recommendation is to closely monitor the activity of the system in order to spot suspicious activities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...