Lumen Technologies’ Black Lotus Labs Proves Linux Executable Files Can Be Used as Stealth Windows Loaders

Black Lotus Labs, the threat intelligence arm of Lumen Technologies, has proven what was previously just a theory: threat actors can use a Linux binary as a loader designed for Windows Subsystem for Linux (WSL) to inject malicious files into a Windows running process.

Back in 2017, researchers theorized that Linux binaries could potentially be used as backdoors to gain access to WSL, but there has never been evidence of such activity in the wild until now. These findings from Black Lotus Labs proves that it is not only possible – it’s actually happening – and samples have been actively developed to abuse this attack surface. This could make it a threat to any machine on which the local system administrator has already installed WSL.

“Threat actors always look for new attack surfaces,” says Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs. “While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems.”