A brand new backdoor related to a malware downloader named Wslink has been found, with the device doubtless utilized by the infamous North Korea-aligned Lazarus Group, new findings reveal.
The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that may exfiltrate, overwrite, and delete information; execute PowerShell instructions; and acquire complete details about the underlying machine.
Its different options comprise itemizing energetic classes, creating and terminating processes, enumerating drives, and compressing directories.
Wslink was first documented by the Slovak cybersecurity agency in October 2021, describing it as a “easy but outstanding” malware loader that is able to executing obtained modules in reminiscence.
“The Wslink payload might be leveraged later for lateral motion, as a result of its particular curiosity in community classes,” ESET researcher Vladislav Hrčka stated. “The Wslink loader listens on a port specified within the configuration and might serve further connecting purchasers, and even load varied payloads.”
Intrusions leveraging the malware are stated to be extremely focused owing to the truth that solely a handful of detections have been noticed up to now in Central Europe, North America, and the Middle East.
In March 2022, ESET elaborated on the malware’s use of an “superior multi-layered digital machine” obfuscator to evade detection and resist reverse engineering.
The hyperlinks to Lazarus Group stem from overlaps in habits and code to that of earlier campaigns – Operation GhostSecret and Bankshot – which have been attributed to the superior persistent risk.
This contains similarities with the GhostSecret samples detailed by McAfee in 2018, which include a “data-gathering and implant-installation element” that runs as a service, mirroring the identical habits of Wslink.
ESET stated the payload was uploaded to the VirusTotal malware database from South Korea, the place a number of the victims are positioned, including credence to the Lazarus involvement.
The findings are as soon as once more demonstrative of the huge arsenal of hacking instruments employed by the Lazarus Group to infiltrate its targets.
“Wslink’s payload is devoted to offering means for file manipulation, execution of additional code, and acquiring intensive details about the underlying system that presumably might be leveraged later for lateral motion,” ESET stated.