Follow
Summary
The article explains how malicious JavaScript can detect Windows Subsystem for Linux (WSL) on a host and then enumerate Windows user information and directories. The sample—ottercookie-socketScript-module-3.js—is attributed to the Cryxos infostealer family. Using environment variables plus file-system probes, the code looks for WSL markers and then maps Windows data exposed through WSL mount points (for example, user paths under /mnt/c/Users). The write-up frames this as WSL being misused as a living-off-the-land capability.
Investigation
Analysis points to two functions, is_wsl() and get_wu(), which look for WSL-specific artifacts and retrieve the logged-in Windows username. If WSL is present, the malware expands its collection scope by adding /mnt to its scan targets so it can traverse host drives through mounted paths and enumerate user directories. The sample’s SHA256 hash was not published, but the filename was provided for hunting and correlation.
Mitigation
Watch for unusual WSL use on production endpoints, including suspicious activity via \wsl$ shares and unexpected access to mounted host volumes. Disable or restrict WSL where it is unnecessary, and detect scripts that query WSL environment variables or read /proc/version. Also monitor for JavaScript runtimes spawning cmd.exe to echo %USERNAME% during host profiling.
Response
If detected, isolate the endpoint, preserve forensic evidence of WSL mounts and accessed files, and run a full malware scan. Remove ottercookie-socketScript-module-3.js and any related payloads, then verify WSL configurations are hardened or disabled.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef data fill:#ccffcc %% Action: Check for WSL environment action_check_wsl["<b>Action</b> – Check for WSL environment<br/><b>Technique</b> – T1497.002: Virtualization/Sandbox Evasion: User Activity Based Checks<br/><b>Description</b>: Adversary inspects the environment for virtualization or sandbox artifacts based on user activity to avoid analysis."] class action_check_wsl action %% Technique node for T1497.002 (optional, shown within action text) %% Action: Retrieve Windows username action_retrieve_username["<b>Action</b> – Retrieve Windows username via cmd.exe and /mnt/c/Users<br/><b>Technique</b> – T1056.004: Input Capture: Credential API Hooking<br/><b>Description</b>: Adversary captures credential input by hooking relevant Windows APIs."] class action_retrieve_username action %% Action: Locate browser data paths action_locate_browser["<b>Action</b> – Locate browser data paths<br/><b>Technique</b> – T1555.003: Credentials from Password Stores: Credentials from Web Browsers<br/><b>Description</b>: Adversary searches typical browser directories to access stored web credentials."] class action_locate_browser action %% Action: Add /mnt mount point to priority directories action_add_mount["<b>Action</b> – Add /mnt mount point to priority directories<br/><b>Technique</b> – T1564.004: Hide Artifacts: NTFS File Attributes<br/><b>Description</b>: Adversary uses NTFS attributes to hide mount points and prioritize malicious locations."] class action_add_mount action %% Action: Collect files from mounted Windows drives action_collect_files["<b>Action</b> – Collect files from mounted Windows drives<br/><b>Techniques</b> – T1025: Data from Removable Media; T1091: Replication Through Removable Media<br/><b>Description</b>: Adversary gathers data and replicates malicious files via mounted removable media."] class action_collect_files action %% Action: Harvest credentials from browser stores action_harvest_credentials["<b>Action</b> – Harvest credentials from browser stores<br/><b>Technique</b> – T1555.003: Credentials from Password Stores: Credentials from Web Browsers<br/><b>Description</b>: Extracted saved passwords, cookies and session tokens from browsers."] class action_harvest_credentials action %% Action: Potential lateral movement via collected data action_lateral_movement["<b>Action</b> – Potential lateral movement via collected data<br/><b>Description</b>: Use harvested credentials and files to move laterally within the network."] class action_lateral_movement action %% Connections action_check_wsl –>|leads_to| action_retrieve_username action_retrieve_username –>|leads_to| action_locate_browser action_check_wsl –>|enables| action_add_mount action_add_mount –>|enables| action_collect_files action_locate_browser –>|enables| action_harvest_credentials action_collect_files –>|enables| action_lateral_movement action_harvest_credentials –>|supports| action_lateral_movement "
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The attacker has gained initial foothold on the victim machine and seeks to enumerate the logged‑on username to personalize payloads. To stay under the radar, the adversary uses a native Windows command‑shell (Living‑off‑the‑Land) and runs the exact
echo %USERNAME%command, which expands the environment variable to the current user’s name. This activity generates acmd.exeprocess creation event with the command lineecho %USERNAME%, matching the detection rule’s signature. -
Regression Test Script:
# Simulate Cryxos trojan retrieving the username via cmd.exe $cmd = "cmd.exe" $args = "/c echo %USERNAME%" Write-Host "Executing: $cmd $args" Start-Process -FilePath $cmd -ArgumentList $args -NoNewWindow -Wait -
Cleanup Commands:
# No persistent artifacts remain; ensure any lingering cmd.exe instances are terminated Get-Process -Name cmd -ErrorAction SilentlyContinue | Stop-Process -Force