Windows Subsystem for Linux is new Trojan Horse for malware as ELF binaries for WSL used to hack PCs have low ‘detection rate’

Windows Subsystem for Linux Virus Malware
WSL used for injecting malware in Windows OS? Pic credit: Yuri Samoilov/Flickr

The Windows Subsystem for Linux (WSL), an entire compatibility layer to run Linux and apps, is serving as a conduit to launch attacks on Windows Operating System (OS). Linux binaries running on Windows PCs have a concerning low detection rate.

A new form of attack methodology is threatening Windows 10, and potentially Windows 11 as well. Threat actors are packaging malware inside weaponized Linux binaries to hack PCs running Microsoft’s operating system.

Linux is now threatening Windows 10 and Windows 11 with viruses, malware, and other threats?

Security researchers have reportedly discovered malicious Linux binaries. These malware-laden pieces of software aren’t threatening Linux Distributions or Distros.

Malicious code writers are apparently using Linux as a Trojan Horse to stealthily attack and compromise Windows PCs.  Simply put, Linux is just a medium to deliver malware into Windows OS and infect the system.

Security researchers claim threat actors are using Linux owing to the increasing amalgamation of the same inside Windows. With Windows Subsystem for Linux, Microsoft has successfully integrated Linux inside Windows OS.

Specifically speaking, malware targeting WSL act as loaders for the same. Threat actors are experiencing success simply because standard and public virus scanning services cannot detect suspicious content inside Linux binaries for Windows.

Black Lotus Labs has outlined the increasing threat to Windows PCs in a blog post. “As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality”.

The cybersecurity company was referring to ELF or Executable and Linkable Format. Technical jargon aside ELF files are similar to EXE files inside Windows, but work in Linux Distros.

How do Linux binaries inside ELF Files attack and compromise a Windows PC?

It might sound a little odd, but Linux binaries are successfully compromising Windows PCs simply because their nature, behavior, and actions are still unknown.

The ELF files with malicious intent either have the payload embedded or fetch it from a remote server. It is at this stage that popular virus scanning services must intervene, but that’s not happening yet.

Once malicious binaries are running inside WSL, they inject the malware into a running process using Windows API calls. This is a very common and simple infection technique.

Black Lotus Labs has termed the threats as WSL malware loaders. The cybersecurity research company has not come across any serious security threat yet. It is quite likely that cybercriminals are merely testing this new infection technique before launching attacks.

The Windows Subsystem for Linux arrived in 2016 and has matured significantly. In addition to running Linux commands and scripts, the newly introduced WSL2 can even run Linux apps with GUI support.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x