Black Lotus Labs discovers evolving capabilities of Linux binaries used as loaders in WSL

DENVER, March 24, 2022 /PRNewswire/ -- Last fall, Black Lotus Labs, the threat intelligence team at Lumen Technologies (NYSE: LUMN) discovered what had – until then – only been theorized: Linux binaries were being used as loaders in Windows Subsystem for Linux (WSL). Since then, the team has analyzed more than 100 samples that indicate the capability is evolving.

Windows Subsystem for Linux: Threats Still Lurk Below the (Sub)Surface

Several of the samples leveraged custom-developed and open-source tools (OSTs) that could be used by actors to evade detection while gaining access into endpoints and computer networks.

"This new class of WSL-based attack demonstrates the blurring boundaries between operating systems," said Michelle Lee, director of threat intelligence at Black Lotus Labs. "Because the types of users running WSL tend to have greater network privileges, organizations that use WSL as part of their day-to-day operations should take note to bolster their defenses as quickly as possible."

Tech Talk

Given the demonstrated interest and the fact that even the samples with valid command and control (C2) infrastructure are evading general detection by AV providers, the infosec community should monitor this newly proven type of attack.

Several samples were custom-built modules exhibiting a range of functionality that included keylogging, shellcode injection, a stager, and even a cross-platform agent that worked in both Windows and Linux.

While evaluating samples, Black Lotus Labs found several agents that were largely based on OSTs found on websites like GitHub .

Additional Resources

Read Black Lotus Labs' initial report proving that Linux executables were being deployed as stealth Windows loaders.

To learn more about how to monitor a Windows system with WSL installed for indicators of malicious activity, read this SANS whitepaper

If your corporate environment uses WSL, Black Lotus Labs recommends that you enable system monitoring (Sysmon) tools to help audit commands run via the WSL terminal.

About Lumen Technologies and the People of Lumen:

