Security researchers at Lumen’s Black Lotus Labs discovered several malicious Linux files designed to infect the Windows Subsystem for Linux (WSL) with malicious payloads.
First introduced in 2016, WSL allows developers run a GNU/Linux environment, including most command-line tools, utilities, and applications, directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup.
The researchers said that the discovered samples were written primarily in Python and compiled in the Linux binary format ELF for the Debian OS, a popular Linux distribution. These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls.
The samples were uploaded every two to three weeks from as early as May 3, 2021, through August 22, 2021, with the earliest samples written purely in Python 3. These samples used standard Python libraries that would allow them to run on both Linux and Windows systems. Another sample used PowerShell to interact with specific Windows APIs.
One PowerShell sample contained functions allowing it to kill suspected AV products and analysis tools, Black Lotus said.
“To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads," the Black Lotus Labs security researchers said. "We hope that by illuminating this distinct tradecraft, we can help drive better detection and alerting before its use becomes more rampant.”
Indicators of Compromise and file hashes associated with this campaign are available in the Black Lotus Labs report.