Linux ELF binaries malware that attacks via the Windows Subsystem for Linux (WSL)
September 20, 2021A group of researchers from the US telecommunications company Lumen Technologies discovered Python files translated into ELF binary format that download malicious code when executed by WSL and inject it into running Windows processes via Windows API calls. The malware is rather simple in design and was probably developed for testing purposes. alware first tries to disable known anti-virus programs on the computer and then communicates with an external IP address on ports in the range 39000 to 48000.
Maleware function
written in Python 3 and compiled as an ELF binary for Debian systems using PyInstaller. One version works entirely with Python and another sample of the malware loads a PowerShell script via the Windows API, which executes the main functions of the malicious code. To be executed on the target system, the malicious code must be downloaded from the victim and executed via WSL.