Threats lurking beneath the subsurface: Understanding and abusing Windows Subsystem for Linux (WSL)

Presented at Kernelcon 2022, April 1, 2022, 2 p.m. (60 minutes).

In April 2016, Microsoft shocked the PC world when it announced the Windows Subsystem for Linux (WSL). WSL is a supplemental feature that runs a Linux image in a near-native environment on Windows, allowing for terminal functionality without the over-head of a virtual machine. While this new functionality was welcomed by developers, it also introduced a new attack surface threat actors can ( and do ) target. Black Lotus Labs recently identified several malicious files that were compiled in the Linux binary format ELF which utilized native windows APIs. Over the past several months, Black Lotus Labs has identified numerous "stagers" - i.e. lightweight scripts that load more robust agents into memory - keyloggers, and in some cases fully functional remote access trojans. The novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate nearly, or in some cases a, zero for sample found on Virustotal. Suggesting that while this technique may be niche, as it requires WSL to be pre-installed by an admin, it can provide threat actors a blind spot to operate while evading some EDR products. This talk will briefly introduce WSL, then focus on the samples Black Lotus Labs observed abusing this feature in the wild, and how we analyzed these malicious files.


Presenters:

  • Daniel Adamitis
    Daniel Adamitis is a Principal Information Security Engineer at Lumen Technologies responsible for advanced actor tracking and threat intelligence. He previously performed threat analysis and reporting on nation-state campaigns while at Cisco Talos, before joining Lumen's Black Lotus Labs. In his spare time, he enjoys cooking and running with his dog.

Similar Presentations: