Windows admins running Linux warned of threat

IT administrators are being warned of a new threat that abuses the Windows operating system’s ability to run Linux binaries to upload malware.

The warning comes from researchers at Lumen, who say at least one threat actor is trying to leverage a capability in Windows Subsystem for Linux (WSL) to squirm into an IT environment. WSL runs a Linux environment within Windows, allowing the use of Linux command-line tools without the overhead of a virtual machine. Among those who take advantage of it are application developers, who use it as a convenient method for pulling in open-source software.

But in a column the company said it has recently discovered malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian Linux operating system. “These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls,” researchers said. “While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of this writing.”

“To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads,” they add.

Researchers admit because they have identified a limited number of samples with only one publicly routable IP address, the activity is “quite limited in scope or potentially still in development.”

That one IP address targeted organizations in Ecuador and France on ephemeral ports between 39000 – 48000 in late June and early July. It could have been an actor testing this new capability from a VPN or proxy node, researchers speculate. “With broader industry detection of this technique, we suspect additional activity will be uncovered,” they add.

Mike Benjamin, Lumen’s vice president of product security and head of its Black Lotus Labs team told SC Magazine that there isn’t a vulnerability in WSL, and it is not up to Microsoft to issue a fix. “This is a threat actor abusing a legitimate application,” he was quoted as saying.

Lumen advises IT defenders who have enabled WSL to follow Microsoft recommendations and ensure proper logging in order to detect this type of tradecraft.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now