Black Lotus Labs, the threat intelligence arm of Lumen Technologies has claimed to have proven what was previously just a theory: threat actors can use a Linux binary as a loader designed for Windows Subsystem for Linux (WSL) to inject malicious files into a Windows running process.
Back in 2017, researchers theorised that Linux binaries could potentially be used as backdoors to gain access to WSL, but there has never been evidence of such activity in the wild until now. According to the company, today’s findings claims to have proved that it is not only possible – it’s actually happening – and samples have been actively developed to abuse this attack surface. This could make it a threat to any machine on which the local system administrator has already installed WSL.
“Threat actors always look for new attack surfaces,” said Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs. “While the use of WSL is generally limited to power users, those users often have escalated privileges in an organisation. This creates blind spots as the industry continues to remove barriers between operating systems.”
The key findings include several malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system. These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and then injected into a running process using Windows API calls.
While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of the report.
The company said it has identified a limited number of samples with only one publicly routable IP address, indicating that this activity is limited in scope – potentially still in development – and likely the first documented instance of an actor abusing WSL to install subsequent payloads.
“To combat this campaign, Black Lotus Labs null-routed the threat actor infrastructure across the Lumen global IP network,” reads a company blog.
Black Lotus has recommended system administrators who have enabled WSL should ensure proper logging to detect this type of tradecraft.