Hackers Deploy ELF on Windows Loaders to Exploit WSL Features


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
  • Researchers have found malware actors using ELF on Windows users via WSL exploitation for malware deployment.
  • The malware uses Python coding and Meterpreter to infiltrating systems.
  • It also inhibits running of certain applications that detect and prevent malware persistence and infection on systems.
Researchers from Quick Heal have announced that they have discovered hackers using an ELF executable targetting the WSL environment within Windows. The Windows Subsystem for Linux (WSL) is used for firing up the Linux environment ad is used for executing Linux-specific command lines. Via an app called Bash.exe. In effect, this serves as a “shell” as part of Windows.

This particular ELF malware codes files in Python 3 and converts them via PyInstaller for Debian Linux into an ELF executable. These files load up internal files from a sample as part of the ELF exec app or extracted from remote servers.

This ELF loader has two variants – a Python-only code and another using Python to launch Windows APIs via ctypes along with PowerShell scripts for other operations on infected devices. Samples may include lightweight payloads generated via open-source tools like Meterpreter or might download shellcode via a command and control server.