Security researchers have discovered real malware for the first time, which the Windows Subsystem for Linux (WSL) abuses to install malicious code. Until now, the distribution of Linux malicious code on Windows via WSL was pure theory. However, a research group from the US telecommunications company Lumen Technologies has now discovered Python files that have been translated into the ELF binary format and, when executed by the WSL, download malicious code and inject it into running Windows processes via Windows API calls.
According to Lumen, the malicious code appears to be real malware that was discovered in the wild. However, it is rather simple and was developed for testing purposes. The malware first tries to turn off known anti-virus programs on the computer and then communicates with an external IP address on ports in the 39000 to 48000 range. The security researchers suspect that the developers of the malicious code wanted to use it to test VPN or proxy connections . Infected computers were discovered in France and Ecuador.
The malicious code was written in Python 3 and translated as an ELF binary file for Debian systems using PyInstaller. One version works entirely with Python and another sample of the malware loads a PowerShell script via the Windows API, which executes the main functions of the malicious code. In order to be executed on the target system, the malicious code has to be downloaded by the victim and executed via WSL. The security researchers do not seem to know which method the attacker actually used to get the ELF file to be executed in the WSL.
VirusTotal waves the malicious code through
On the one hand, the threat posed by the WSL malware has so far been very limited because the actual malicious code has not yet done particularly malicious things and because WSL installations only run on a small number of Windows systems, mostly by developers and tech enthusiasts , are active. On the other hand, it is unsettling that the malicious code described by Lumen was only detected by one of the more than 70 virus scanners from VirusTotal when it was discovered. One of the versions of the malware was not even detected by any of the scanners. This clearly indicates that anti-virus manufacturers have hardly or not at all on their radar to this type of malware.
Attack vector no longer a theory
The first appearance of WSL malware in the wild is significant because this type of threat was previously pure theory – which probably explains the low detection rate of malware by anti-virus programs. As early as 2017, the security company Checkpoint found a way to attack Windows via the WSL. At that time, however, Checkpoint had overdramatized the risk of such attacks – the attack scenario was purely theoretical and Checkpoint’s assessment of the endangered systems was exaggerated. After all, it took four years for malicious code to actually emerge that uses this attack vector. At this point there is still no need to panic. However, AV manufacturers and admins of systems on which WSL is activated should immediately be aware that such attacks are finally no longer a theory and that we will probably have to expect more dangerous malware in the future, which Windows computers via the detour of the WSL attacks.
After all, in some scenarios it could be tactically smart for attackers to attack Windows systems with Linux malicious code. If an organization only uses Windows computers, it is quite possible that their security department does not see Linux malicious code as a threat at all. And even if only one admin has installed the WSL on his computer for hobby reasons, that can be enough to compromise the entire organization if this admin has extensive rights in the network. It is not without reason that admin computers are usually the first priority of attackers in the lateral movement through the target network – they are usually a gold mine for passwords, certificates and crypto keys.