Runs under WSL: First Linux malware appeared in Windows

What was a theory four years ago is now real: Linux ELF binaries that attack Windows systems via their own API.

Security researchers have for the first time discovered real malware that abuses the Windows Subsystem for Linux (WSL) to install malicious code. Until now, the spread of Linux malware to Windows via WSL was pure theory. Now, however, a group of researchers from U.S. telecommunications firm Lumen Technologies has discovered Python files translated into ELF binary format that download malicious code when executed by WSL and inject it into running Windows processes via Windows API calls.

No proof of concept

According to Lumen, the malicious code seems to be real malware that was discovered in the wild. However, it is rather simplistic and was probably developed for testing purposes. The malware first attempts to disable known anti-virus programs on the computer and then communicates with an external IP address on ports in the range 39000 to 48000. Security researchers suspect that the developers of the malicious code intended to use it to test VPN or proxy connections. Infected machines were discovered in France and Ecuador.

The malicious code was written in Python 3 and compiled as an ELF binary for Debian systems using PyInstaller. One version works entirely with Python and another sample of the malware loads a PowerShell script via the Windows API, which executes the main functions of the malicious code. To be executed on the target system, the malicious code must be downloaded by the victim and executed via WSL. The specific method the attacker used to get the ELF file executed in WSL does not seem to be known to the security researchers.

VirusTotal waves the malicious code through

On the one hand, the threat from WSL malware is so far very limited, because the actual malicious code does not do particularly malicious things so far, and because WSL installations are active only on a small number of Windows systems, mostly from developers and tech enthusiasts. On the other hand, it is worrying that the malicious code described by Lumen was only detected by one of VirusTotal’s 70-plus virus scanners when it was discovered. One of the versions of the malware was even not unmasked by any of the scanners. This clearly indicates that anti-virus vendors have little or no awareness of this type of malware so far.

Attack vector no longer a theory

The first appearance of WSL malware in the wild is significant mainly because this type of threat was previously pure theory – which probably explains the low detection rate of the malicious code by anti-virus programs. Back in 2017, the security firm Checkpoint had found a way to attack Windows from the WSL. At the time, however, Checkpoint had greatly overdramatized the risk of such attacks – the attack scenario was purely theoretical and Checkpoint’s assessment of the systems at risk was exaggerated. In the end, it did take four years for malicious code to actually appear that used this attack vector. Even at this point, there is no reason to panic. However, AV vendors and admins of systems where WSL is enabled should be aware from now on that such attacks are definitely no longer a theory and we should probably expect more dangerous malware attacking Windows machines via the WSL detour in the future.

After all, in some scenarios it might be tactically smart for attackers to attack Windows systems with Linux malware. If an organization has only Windows machines in use, its security department may not even see Linux malware as a threat. And even if only one admin has WSL installed on his machine for hobby reasons, that can be enough to compromise the entire organization if that admin has wide-ranging rights on the network. It is not without reason that admin machines are usually the first priority of attackers in lateral movement through the target network – they are usually a goldmine for passwords, certificates and crypto keys.