Security Experts Discovered Malware Intended For Windows Subsystem For Linux

Lumen’s Black Lotus Labs, which specialize in network security, report on their blog about malware that was written in Python and created as a Linux ELF binary. What makes it special is that this malware is apparently intended for the Windows Subsystem for Linux (WSL) and targets Windows APIs.

According to Black Lotus Labs, there are several malicious Python files compiled in the Executable and Linkable Format (EFL) binary for Debian Linux. These files acted as loaders, launching a “payload” that was either embedded in the instance itself or came from a remote server and then injected into a running process using Windows API calls.

In 2017, Check Point researchers demonstrated an experimental attack called Bashware that enables malicious attacks to be performed from ELF and EXE executables in a WSL environment. But WSL is disabled by default, and Windows 10 comes with no embedded Linux distributions, so the threat from Bashware didn’t seem real.

The recently discovered malicious code samples however have a minimum rating on the VirusTotal service, which means that most antivirus programs will miss them.

Experts from Black Lotus Labs discovered two variants of the malware. The first one is written in pure Python, and the second additionally uses a library to connect to the Windows API and run a PowerShell script. Although, in the second case, the module is still under development, as it does not work on its own.

Bhasker Das
Bhasker Das
Bhasker Das, with a master's in Cybersecurity, is a seasoned editor focusing on online security, privacy, and protection. When not decrypting the complexities of the cyber world, Anu indulges in his passion for chess, seeing parallels in strategy and foresight.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More from this stream