Lumen’s Black Lotus Labs, which specialize in network security, report on their blog about malware that was written in Python and created as a Linux ELF binary. What makes it special is that this malware is apparently intended for the Windows Subsystem for Linux (WSL) and targets Windows APIs.
According to Black Lotus Labs, there are several malicious Python files compiled in the Executable and Linkable Format (EFL) binary for Debian Linux. These files acted as loaders, launching a “payload” that was either embedded in the instance itself or came from a remote server and then injected into a running process using Windows API calls.
In 2017, Check Point researchers demonstrated an experimental attack called Bashware that enables malicious attacks to be performed from ELF and EXE executables in a WSL environment. But WSL is disabled by default, and Windows 10 comes with no embedded Linux distributions, so the threat from Bashware didn’t seem real.
The recently discovered malicious code samples however have a minimum rating on the VirusTotal service, which means that most antivirus programs will miss them.
Experts from Black Lotus Labs discovered two variants of the malware. The first one is written in pure Python, and the second additionally uses a library to connect to the Windows API and run a PowerShell script. Although, in the second case, the module is still under development, as it does not work on its own.