WSL is a Windows Subsystem for Linux provided by Microsoft for Windows 10 and Windows 11. This allows developers to run Linux distributions directly on Windows systems, and even Linux distributions with a GUI interface. In recent years, I have not heard of potential security issues on the WSL system, but now it seems that hackers are trying to attack Windows systems through WSL.
Researchers have discovered that hackers are making malicious Linux binary files since May. These samples have been detected in the wild but no large-scale attacks or use cases have been found. This shows that hackers should be actively testing at this time.
At present, there are no cases of attackers using WSL vulnerabilities to launch large-scale attacks on Windows, but if they really want to use them, this is not new. Researchers say that attackers mainly make malicious files and then call and inject them through Windows API. In the running process, this technology is neither new nor complicated, and it can even be said to be very conventional. Essentially it is to inject and load other malicious files through embedded payloads or remote servers.
From the few samples identified, researchers found that hackers even used IP addresses directly instead of C2 servers. This shows that hackers are testing the method of infecting Windows through WSL. If the technology is mature, hackers may use the C2 server to avoid server IP changes or be blocked, causing the malware to fail.
“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” – Black Lotus Labs
The samples detected use Python 3 to perform tasks, which are packaged as Debian ELF executable files using PyInstaller. These samples were found on VirusTotal, which also shows that the hackers sent them to VirusTotal for testing while developing and seeing how many anti-virus software could be bypassed. It is worth noting that one of the samples bypassed the detection of all anti-virus software engines on VirusTotal.
There is a variant of ELF to Windows loader that relies on Powershell such as and executes shellcode. It also tried to use Python to call functions to kill the running anti-virus software. This can solve the detection problem of anti-virus software and establish persistence on the system, including running a Powershell script every 20 seconds.