Security experts have discovered malware running in the Windows Subsystem for Linux (WSL) environment. The Linux binary tries to attack Windows and load additional software modules.
The problem was reported by experts from the Black Lotus Labs team at the American telecommunications company Lumen Technologies. They found several malicious Python files compiled into the Executable and Linkable Format (ELF) binary format for Debian Linux. “These files acted as bootloaders, launching a ‘payload’ that was either embedded into the instance itself or came from a remote server and then injected into a running process using Windows API calls.”, – said in a message from Black Lotus Labs.
In 2017, more than a year after the release of WSL, Check Point researchers demonstrated an experimental attack called Bashware that allowed malicious actions to be performed from ELF and EXE executables in a WSL environment. But WSL is disabled by default, and Windows 10 comes without any embedded Linux distributions, so the Bashware threat didn’t seem realistic. However, 4 years later, something similar was discovered outside the laboratory.
Experts from Black Lotus Labs noted that the samples of malicious code showed the minimum rating on the VirusTotal service, which means that most antivirus programs will miss such files. The samples discovered by the experts were written in Python 3 and compiled to ELF using PyInstaller. The code calls the Windows API to download a third-party file and run its code in a third-party process, which provides an attacker with access to the infected machine. Presumably, this requires you to first run the file in the WSL environment.
Two variants of the malware were discovered. The first is written in pure Python, the second additionally used a library to connect to the Windows API and run a PowerShell script. In the second case, Black Lotus Labs suggested that the module is still under development because it does not work by itself. The sample also identified an IP address (185.63.90 [.] 137), associated with targets in Ecuador and France, from where the infected machines tried to communicate on ports from 39,000 to 48,000 in late June and early July. It is assumed that the owner of the malware has tested a VPN or proxy server.