Linux subsystem malware detected in Microsoft Windows

Security experts have detected malware running in a Windows Subsystem for Linux (WSL) environment. The Linux binary attempts to attack Windows and download additional software modules.

The problem was reported by experts from Black Lotus Labs, part of US telecommunications company Lumen Technologies. They found several malicious Python files compiled in the binary format EFL (Executable and Linkable Format) for Debian Linux.

How such viruses are structured

These files acted as loaders, running 'payloads' that were either embedded in the instance itself or came from a remote server and then injected into the running process using Windows API calls," Black Lotus Labs explained.

In 2017, more than a year after WSL was released, Check Point researchers demonstrated an experimental attack called Bashware that allowed malicious actions to be executed from ELF and EXE executables in the WSL environment. But WSL is disabled by default, and Windows 10 comes without embedded Linux distributions, so the threat from Bashware didn't seem real.

Four years later, however, something similar was discovered "in the wild." Black Lotus Labs experts commented that the malware samples had a minimum rating on the VirusTotal service, meaning that most anti-virus programs would miss them.

More specifics

Two variants of the malware were detected. The first is written in pure Python, and the second additionally uses a library to connect to the Windows API and run the PowerShell script. Black Lotus Labs experts suggest that in the second case the module is still under development, as it does not work independently.

The sample also identified an IP address (185.63.90[.]137) associated with targets in Ecuador and France from which infected machines attempted to connect through ports 39000-48000 in late June and early July. The malware owner is believed to have been testing a VPN or proxy server.

Source: theregister, lumen

Illustration: CC0 Public Domain