Security experts have discovered malware running in the Windows Subsystem for Linux (WSL) environment. Linux binary
The problem was reported by experts from Black Lotus Labs.part of the American telecommunications company Lumen Technologies. They found several malicious Python files compiled in the Executable and Linkable Format (EFL) binary for Debian Linux.
How do these viruses work?
These files acted as bootloaders, launching“payload”, which was either embedded in the instance itself, or came from a remote server and was then injected into the running process using Windows API calls”, – Black Lotus Labs explains.
In 2017, more than a year after releaseWSL, Check Point researchers demonstrated an experimental attack called Bashware that allowed malicious actions to be performed from ELF and EXE executables in a WSL environment. But WSL is disabled by default, and Windows 10 comes with no embedded Linux distributions, so the threat from Bashware didn't seem real.
However, four years later something similar happeneddiscovered “in the wild”. Experts at Black Lotus Labs commented that the malicious code samples have a minimum rating on the VirusTotal service, which means that most antivirus programs will miss them.
More specifics
Two variants of the maliciousprograms. The first is written in pure Python, and the second additionally uses a library to connect to the Windows API and run a PowerShell script. Black Lotus Labs experts suggest that in the second case, the module is still under development, as it does not work on its own.
The sample also revealed an IP address (185.63.90 [.] 137), linked to targets in Ecuador and France, from which infected machines attempted to communicate through ports 39000-48000 in late June and early July. It is assumed that the owner of the malware has tested a VPN or proxy server.
Source: theregister, lumen
Illustrations: CC0 Public Domain
</ p>