Security News > 2021 > September > Yes, of course there's now malware for Windows Subsystem for Linux

Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft's Windows Subsystem for Linux to install unwelcome payloads.

On Thursday, Black Lotus Labs, the threat research group at networking biz Lumen Technologies, said it had spotted several malicious Python files compiled in the Linux binary format ELF for Debian Linux.

"These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," Black Lotus Labs said in a blog post.

Because WSL wasn't enabled by default and Windows 10 didn't ship with any preinstalled Linux distro, Bashware wasn't considered a particularly realistic threat at the time.

The files function as loaders for a payload that's either embedded - possibly created using open-source tools like MSFVenom or Meterpreter - or fetched from a remote command-and-control server and is then inserted into a running process via Windows API calls.

The code invokes various Windows APIs to fetch a remote file and add it to a running process, thereby establishing access to the infected machine.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/17/windows_subsystem_for_linux_malware/