Black Lotus Labs, the threat intelligence arm of Lumen Technologies, has proven what was previously just a theory threat actors can use a Linux binary as a loader designed for Windows Subsystem for Linux (WSL) to inject malicious files into a Windows running process.
Back in 2017, researchers theorized that Linux binaries could potentially be used as backdoors to gain access to WSL, but there has never been evidence of such activity in the wild until now. Today’s findings from Black Lotus Labs proves that it is not only possible – it’s actually happening – and samples have been actively developed to abuse this attack surface. This could make it a threat to any machine on which the local system administrator has already installed WSL.
Recommended ITech News: Cloud Security Alliance Releases New Guidelines Providing Insight Into Effectively Using Its Industry-Leading Security Assessment, Assurance Tools
Black Lotus Labs proved what was previously just a theory: Linux binaries can be used as backdoors to gain access to WSL
“Threat actors always look for new attack surfaces,” said Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs. “While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems.”
Recommended ITech News: Exabeam Opens Office in ‘Silicon Valley of Maharashtra’ Pune, India to Support Cloud Offering Demand
Key Findings:
- Black Lotus Labs discovered several malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system.
- These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and then injected into a running process using Windows API calls.
- While this approach was not particularly sophisticated, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, as of the time of the report.
- Black Lotus Labs has identified a limited number of samples with only one publicly routable IP address, indicating that this activity is limited in scope – potentially still in development – and likely the first documented instance of an actor abusing WSL to install subsequent payloads.
Recommended ITech News: Informa Tech Expands Insight into Cybersecurity Industry with NetSecOPEN Partnership