{"id":90536,"date":"2021-11-02T16:31:48","date_gmt":"2021-11-02T11:01:48","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90536"},"modified":"2023-02-15T17:49:58","modified_gmt":"2023-02-15T12:19:58","slug":"stay-alert-malware-authors-deploy-elf-as-windows-loaders-to-exploit-wsl-feature","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/stay-alert-malware-authors-deploy-elf-as-windows-loaders-to-exploit-wsl-feature\/","title":{"rendered":"Stay Alert \u2013 Malware Authors Deploy ELF as Windows Loaders to Exploit WSL feature"},"content":{"rendered":"

What is WSL?<\/b><\/strong><\/h2>\n

The Windows Subsystem for Linux (WSL) is a resource inside the Windows operating system that allows users to execute Linux command lines on a machine running Windows operating system. The Windows Subsystem for Linux uses an application known as Bash.exe, which launches a Linux dialogue box within the Windows operating system interface. This might be considered as a “shell” application that runs within Windows.<\/p>\n

There is a new attack chain that is going on in which attackers target the WSL environment. The files are written in Python 3 and then, with the help of PyInstaller, converted into an ELF executable for Debian Linux. These files act as loaders running a payload embedded within the sample or retrieved from a remote server and then injected into a running process. This tradecraft can enable an actor to obtain an unnoticed footing on a compromised machine. The ELF loader has two variants: the first is written entirely in Python, while the second uses Python to call several Windows APIs via ctypes and launch a PowerShell<\/a> script to perform further operations on the host machine. Some of the samples included lightweight payloads generated by an open-source tool like Meterpreter. In other situations, the files try to download shellcode from a remote C2.<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig1:<\/i><\/em>\u00a0Flow Diagram<\/p>\n

PowerShell is used to inject and execute the shellcode in some samples, while Python ctypes is used to resolve Windows APIs in others.<\/p>\n

In the PowerShell sample, the compiled python code calls three functions named –<\/p>\n