Linux Executables Used as Stealth Windows Loaders in WSL Attacks

Researchers identified a series of samples uploaded every two to three weeks, that target the WSL environment.
All samples share similar tradecraft and are compiled with Python 3.9 using PyInstaller for the Debian operating system version 8.3.0-6.
Some of the samples contained lightweight payloads which could have been generated from open-source tools such as MSFVenom or Meterpreter.
In other cases, the files attempted to download shellcode from a remote C2.
Researchers observed an evolution of this tradecraft, with the earliest samples written purely in Python 3 and the latest iteration using ctypes to call Windows APIs, in addition to employing PowerShell to perform subsequent actions on the host machine.

Python Variant
The variant written in Python that does not utilize any Windows API appeared to be the earliest iteration of the loader file.
One notable feature is that this loader used standard Python libraries, making it cross-compatible to run on both Linux and Windows machines. Researchers found one test sample where the script prints the words, which translates from Russian to the informal "Hello Sanya", indicating that the author has some familiarity with the language.
All of the files associated with this tradecraft contained private, or non-routable, IP addresses - except for one.
That sample contained a public IP address of 185.63.90[.]137 as well as a loader file written in Python and converted into an executable via PyInstaller.
The file first attempted to allocate memory from the machines, then created a new process and injected a resource that was stored on a remote server located at hxxp://185.63.90[.]137:1338/stagers/l5l.py.
When Black Lotus Labs researchers tried to grab the resource from this remote server, the file was already taken offline, indicating that the threat actor left this address in either from a test or a previous campaign.

Researchers did identify a couple of other malicious files that all communicated with the same IP address (185.63.90[.]137) around the same timeframe as the samples containing Meterpreter payloads, some of which were obfuscated with the Shikata Ga Nai encoder.
While the Meterpreter framework is very well known in the industry, that has not stopped cybercrime and ransomware groups from using it in the past. Researchers also hypothesize that it would be trivial for the operator to swap out the Meterpreter payload for some more advanced tools such as either Cobalt Strike or even a custom agent.

WSL Variant Using PowerShell And Ctypes
The ELF to Windows binary file execution path was different in various files. In some samples, PowerShell was used to inject and execute the shellcode; in others, Python ctypes was used to resolve Windows APIs.

In one PowerShell sample, the compiled Python called three functions: kill_av(), reverseshell() and windowspersistance().
The kill_av() function did as its name implies: it attempted to kill suspected AV products and analysis tools using os.popen().
The reverseshell() function used a subprocess to execute a Base64-encoded PowerShell script every 20 seconds inside of an infinite while true loop, blocking any other function from being executed.
The windowspersistence() function copied the original ELF file to the appdata folder under the name payload.exe and used a subprocess to add a registry run key for persistence.
In the above image, windowspersistance() is called with the string "TIME TO Presist" (note the misspelling of "persist").
The decoded PowerShell used GetDelegateForFunctionPointer to call VirtualAlloc, copy the MSFVenom payload to the allocated memory and again use GetDelegateForFuctionPointer to call CreateThread on the allocated memory containing the payload.
Another sample used Python ctypes to resolve Windows APIs to inject and call the payload.