fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Malware Uses Windows Subsystem For Linux For Stealthy Attacks

New Malware Uses Windows Subsystem For Linux For Stealthy Attacks

Security researchers have discovered malicious Linux binaries created for the Windows Subsystem for Linux (WSL), indicating that hackers are trying out new methods to compromise Windows machines.

The finding underlines that threat actors are exploring new methods of attack and are focusing their attention on WSL to evade detection.

Using WSL to avoid detection

The first samples targeting the WSL environment were discovered in early May and continued to appear every two to three weeks until August 22. They act as loaders for the WSL environment and enjoy very low detection on public file scanning services.

In a report today, security researchers at Lumen’s Black Lotus Labs say that the malicious files either have the payload embedded or fetch it from a remote server.

The next step is to inject the malware into a running process using Windows API calls, a technique that is neither new nor sophisticated.

From the small number of samples identified, only one came with a publicly routable IP address, hinting that threat actors are testing the use of WSL to install malware on Windows.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

The malicious files rely mainly on Python 3 for carrying out their tasks and are packaged as an ELF executable for Debian using PyInstaller.

“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” – Black Lotus Labs

Less than a month ago, one of the malicious Linux files was detected by just one antivirus engine on VirusTotal. Refreshing the scan on another sample showed that it went completely undetected by the engines on the scanning service

WSL malware evading detection

Python and PowerShell

One of the variants, written completely in Python 3, does not use any Windows API and seems to be the first attempt at a loader for WSL. It uses standard Python libraries, which makes it compatible with both Windows and Linux.

The researcher found in a test sample code that prints “Hello Sanya” in Russian. All but one file associated with this sample contained local IP addresses, while the public IP pointed to 185.63.90[.]137, already offline when the researchers tried to grab the payload.

Another “ELF to Windows” loader variant relied on PowerShell to inject and execute the shellcode. One of these samples used Python to call functions that killed the running antivirus solution, established persistence on the system, and run a PowerShell script every 20 seconds.

Based on inconsistencies observed when analyzing several samples, the researchers believe that the code is still being developed, although in the final stage.

The limited visibility from the public IP address indicates activity restricted to targets in Ecuador and France between late June and early July.

Black Lotus Labs assesses that the WSL malware loaders are the work of a threat actor testing the method from a VPN or proxy node.

Microsoft introduced Windows Subsystem for Linux in April 2016. In September 2017, when WSL was freshly out of beta, researchers at Check Point demonstrated an attack they called Bashware where WSL could be abused to hide malicious code from security products.

Also Read: The DNC Registry Singapore: 5 Things You Must Know

The report from Lumen’s Black Lotus Labs provides indicators of compromise associated with the detected campaign to help defenders create detection rules. For file hashes and data on this actor’s wider activity, the researchers point to the company’s GitHub page

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us