Security researchers have discovered a new type of malware that uses the Windows Subsystem for Linux (WSL) as a stealth attack. Such attacks can be carried out using malicious Linux binaries, and this method has not previously been used in practice, but in theory it was allowed. The problem was discovered by researchers at Black Lotus Labs, who describe it as the first time that attackers have misused WSL to install plugins.
Researchers have identified several malicious files that were written primarily in Python 3 and compiled in Linux ELF (Executable and Linkable Format) for Debian. These files were used as loaders that launched the payload, and then the malware was injected into the running process using the Windows API.
Notably, the samples found had low detection rates on Virus Total.
While one version of the ELF loader used pure Python, another relied on PowerShell to inject and execute code. This option is still under research and development. Security researchers are concerned that the Windows Subsystem for Linux makes it easy for these attacks to slip out of sight and go completely unnoticed. For more information on this type of attack, check out the Black Lotus Labs blog.