Lumen security research reveals threats still lurk in Windows Subsystem for Linux

Black Lotus Labs discovers evolving capabilities of Linux binaries used as loaders in WSL

Last fall, Black Lotus Labs, the threat intelligence team at Lumen Technologies  discovered what had – until then – only been theorized: Linux binaries were being used as loaders in Windows Subsystem for Linux (WSL). Since then, the team has analyzed more than 100 samples that indicate the capability is evolving.

Several of the samples leveraged custom-developed and open-source tools (OSTs) that could be used by actors to evade detection while gaining access into endpoints and computer networks.

Tech Talk

• Given the demonstrated interest and the fact that even the samples with valid command and control (C2) infrastructure are evading general detection by AV providers, the infosec community should monitor this newly proven type of attack.
• Several samples were custom-built modules exhibiting a range of functionality that included keylogging, shellcode injection, a stager, and even a cross-platform agent that worked in both Windows and Linux.

o   The increase in custom modules suggests the WSL attack surface is a growing area of interest.

o   While many of the samples did not yet appear to be fully functional, they demonstrate attack methods that are actively being tested and refined.

• While evaluating samples, Black Lotus Labs found several agents that were largely based on OSTs found on websites like GitHub.

o   OSTs enable actors to minimize development time by using publicly available tools rather than creating their own.

o   All the OST-based samples that leveraged the WSL also relied upon third-party services such as Discord and Telegram for command and control.

o   Black Lotus Labs suspects that by using third-party network services and operating in a nebulous subsystem space, threat actors may be trying to evade some standard detection mechanisms.

Source: Lumen media announcement