BlackLotusLabs reports that hackers have started developing and testing methods of using Microsoft’s Windows Subsystem for Linux, which offers a Linux command shell for Windows PCs, to compromise Windows installations.
The security company has found several samples of the new technology in the wild, though they are not fully developed yet.
The malware typically uses Python 3 to carry out the dirty work, and the hacks are packaged in ELF executable for Debian using PyInstaller. These types of packages typically go unscanned by standard Windows antivirus software.
“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality”, said Black Lotus Labs.
The samples BlackLotusLabs detected typically download their payload from the internet, and one of these samples used Python to call functions that killed the running antivirus solution, established persistence on the system, and run a PowerShell script every 20 seconds.
The new approach appears close to being fully developed, and users of WSL should be aware of the increased attack surface the environment opens up on their PCs. Black Lotus Labs recommend those who’ve enabled WSL ensure proper logging in order to detect this type of exploit.
Read their full report here.