DENVER, September 16, 2021 / PRNewswire / – Black Lotus Labs, the threat intelligence arm of Lumen Technologies (NYSE: LUMN), has proven what was previously just a theory: Threat actors can use a Linux binary as a loader that works for the Windows subsystem for Linux (WSL) was developed. to smuggle malicious files into a running Windows process.
Back in 2017, researchers theorized that Linux binaries could potentially be used as backdoors to gain access to WSL, but there has never been any evidence of such activity in the wild until now. Today’s findings from Black Lotus Labs prove that this is not only possible – it actually happens – and examples have been actively developed to misuse this attack surface. This could become a threat to any computer on which the local system administrator has already installed WSL.
“Threat actors are always looking for new attack surfaces,” said Mike Benjamin, Lumen Vice President of Product Security and Head of Black Lotus Labs. “While the use of WSL is generally limited to power users, those users often have elevated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems.”
- Black Lotus Labs discovered several malicious files mainly written in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system.
- These files acted as loaders executing a payload that was either embedded in the sample or obtained from a remote server and then inserted into a running process using Windows API calls.
- While this approach was not particularly mature, the novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate of one or zero in Virus Total, depending on the sample, at the time of this report.
- Black Lotus Labs has identified a limited number of examples with only one publicly routable IP address, suggesting that this activity is limited in scope – possibly still in development – and is likely the first documented case of an actor abusing WSL to install subsequent payloads.
To combat this campaign, Black Lotus Labs have rerouted the threat actors’ infrastructure from Lumen to zero over the global IP network.
Recommendations and resources:
- Read the full Black Lotus Labs blog to learn how to identify this craft, view file hashes related to the campaign, and view the threat actor’s larger cluster of activity.
- System administrators who have WSL enabled should ensure proper logging to detect this type of Tradecraft.
- Black Lotus Labs continues to follow this activity and encourages others to do the same.
- Anyone who sees similar activities in their environment can report on Twitter @BlackLotusLabs.
About Lumen Technologies:
Lumen is guided by our belief that humanity is best when technology advances the way we live and work. With around 450,000 fiber miles and customers in more than 60 countries, we offer the fastest, most secure platform for applications and data to help businesses, government agencies and communities deliver amazing experiences.
Find out more about the Lumen network, edge cloud, security, communication and collaboration solutions and our purpose of promoting human progress through technology at news.lumen.com/home, LinkedIn: / lumentechnologies, Twitter: @ lumentechco, Facebook: / lumentechnologies, Instagram: @lumentechnologies and YouTube: / lumentechnologies. Lumen and Lumen Technologies are registered trademarks in The United States.
SOURCE Lumen Black Lotus Labs