- Qilin ransomware uses WSL to run Linux encryptors stealthily on Windows systems
- Attackers bypass Windows defenses by executing ELF binaries inside WSL environments
- EDR tools miss WSL-based threats, leaving critical sectors vulnerable to Qilin’s extortion campaigns
Ransomware hackers have been spotted running Linux encryptors in Windows in a bid to avoid detection by security tools, experts have found.
Researchers at Trend Micro reported observing the Qilin ransomware operation running the Windows Subsystem for Linux (WSL) feature in compromised endpoints.
WSL is a feature in Windows that allows admins to run a full Linux environment directly on a Windows machine without needing a virtual machine or dual-boot setup. It lets developers and system administrators use Linux command-line tools (like bash, grep, ssh, apt, etc.) natively alongside Windows applications.
Focusing on Windows PE behavior
Trend Micro says the attackers are using WSL to be able to launch the ELF executable on a Windows device and to bypass traditional Windows security software.
“In this case, the threat actors were able to run the Linux encryptor on Windows systems by taking advantage of the Windows Subsystem for Linux (WSL), a built-in feature that allows Linux binaries to execute natively on Windows without requiring a virtual machine,” Trend Micro said.
“After gaining access, the attackers enabled or installed WSL using scripts or command-line tools, then deployed the Linux ransomware payload within that environment. This gave them the ability to execute a Linux-based encryptor directly on a Windows host while avoiding many defenses that are focused on detecting traditional Windows malware.”
According to the publication, many Windows Endpoint Detection and Response (EDR) products focus on Windows PE behavior, missing suspicious activity happening inside WSL.
Qilin is a ransomware-as-a-service (RaaS) operation first observed in 2022. It was first known as Agenda, and since rebranding it grew into one of the most active extortion platforms.
Its biggest and highest-profile victims have tended to be data-rich and critical organisations: healthcare providers and laboratories (the 2024 Synnovis attack that disrupted NHS services is widely cited), local and regional government entities in the US, utilities and manufacturing, and large private companies including recent claims against firms such as Asahi.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/9jwoYqPpkcPNa9JuritsPT-640-80.jpg
Source link
