Skip to main content

Researchers Find Malware Hiding in Windows Subsystem for Linux

A suspicious penguin
(Image credit: Shutterstock)

Black Lotus Labs revealed on Thursday that it's discovered new malware that uses the Windows Subsystem for Linux (WSL) to avoid being detected by security tools.

WSL debuted in 2016 alongside the Windows 10 Anniversary Update as a way to access GNU and Linux tools without having to boot into a different operating system. It didn't originally provide true access to the Linux kernel—it used a compatible kernel developed by Microsoft—but that changed when WSL 2 arrived in June 2019.

That release officially brought the Linux kernel to Windows, and while that's usually a good thing for people who don't want to fuss with dual booting or using a different virtual machine environment, it turns out that it poses a security risk as well. Black Lotus Labs said the malware it found was used to covertly attack target PCs.

The researchers said the malware was distributed via Executable and Linkable Format (ELF) files intended to run on Debian, a popular Linux distribution, and its derivatives. In some cases those files contained a payload intended for a target PC; in others they received a payload from remote command and control infrastructure.

Black Lotus Labs found several versions of the malicious ELF files. One was said to have been written exclusively in Python using standard libraries that would allow it to target both Linux and Windows systems. Another used PowerShell, Microsoft's command shell and scripting language, to interact with specific Windows APIs.

The researchers said "this tradecraft could allow an actor to gain an undetected foothold on an infected machine." VirusTotal, a utility that checks submitted files for malware against 70-odd antivirus scanners, confirmed this by giving "the technique a detection rate of one or zero" when the Black Lotus Labs report was written.

"To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads," the Black Lotus Labs security researchers said. "We hope that by illuminating this distinct tradecraft, we can help drive better detection and alerting before its use becomes more rampant."

In the meantime, Black Lotus Labs is asking WSL users to ensure that they use proper logging to help prevent this type of malware from seeing widespread use.

  • garylcamp
    Not clear to me that this malware is on all Windows or is installed by user some how. If user installed, let us know how NOT TO.
    Reply
  • DXRick
    Nathaniel makes it sound like Microsoft did it, instead of hackers exploiting a weakness in WSL, until you read the who article.

    Secondly is bad grammar:

    "Black Lotus Labs revealed on Thursday that it's ... "

    should be: "Black Lotus Labs revealed on Thursday that they... "
    Reply
  • USAFRet
    "The researchers said the malware was distributed via Executable and Linkable Format (ELF) files intended to run on Debian, a popular Linux distribution, and its derivatives. In some cases those files contained a payload intended for a target PC; in others they received a payload from remote command and control infrastructure. "

    So not something in the WSL code, but it seems something the user has downloaded and tried to install.


    DXRick said:
    "Black Lotus Labs revealed on Thursday that it's ... "

    should be: "Black Lotus Labs revealed on Thursday that they... "
    Could also be:
    "Black Lotus Labs revealed on Thursday that it has discovered..."
    Reply