A new malware variant uses Windows Subsystem for Linux to infect systems been in to limelight and avoid from detection.

The initial samples of WSL loaders found and detected extremely poorly in public file scanning services. The next step is the injection of Windows API calls into an ongoing process, a method that is neither new nor advanced.

Out of few discovered instances, only one has been given a publicly routable IP address, indicating that attackers concerned are testing WSL for malware installation on Windows. The malevolent files mostly rely on Python 3 to perform their duties and are bundled with PyInstaller as ELF for Debian.

Most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality.

Alternatives, written in Python 3 entirely, doesn’t even use Windows APIs and is the first WSL loader effort. It is functional with both Windows and Linux with normal python libraries.

In 2016, Microsoft released the Windows Subsystem for Linux. When WSL was newly released from beta in September, investigators from Check Point revealed a catastrophe termed Bashware, where WSL could be misused to hide malicious code from security products.

The scientists theorize that the code is still being created, even in the final level, depending on the incoherence detected in the analysis of multiple samples. The limited public IP exposure suggests activities in Ecuador and France, which are restricted to targets. If WSL enabled, make sure that logging is activated to detect these intrusions.