Four years ago, it was theorized that Linux binaries could be used as a means for hackers to gain access to Windows Subsystem for Linux. Up until recently, there has never been a single piece of evidence to prove that theory.

That time of speculation is over. Black Lotus has not only proved it to be true but has discovered that it’s actually happening.

Lumen Vice President, Mike Benjamin, says, “While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization.” Benjamin adds, “This creates blind spots as the industry continues to remove barriers between operating systems.”

Black Lotus has identified a series of samples that were uploaded every two to three weeks, dating back to May 3, 2021, through August 22, 2021. The attacks were compiled with Python 3.9, using PyInstaller for the Debian OS, version 8.3.0-6. All of the samples, save one, contained private IP addresses. However, one sample was associated with a publicly routable IP address (185.63.90[.]137), which could indicate this new attack vector is still in development or just the first known instance of a hacker using this vulnerability to install malicious payloads into WSL.

Find out more about this new attack in the official Lumen blog, “No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders.”