A new backdoor associated with a malware downloader named Withlink New research has surfaced on a tool likely used by the Lazarus Group, which is infamously affiliated with North Korea.
dubbed payload WinorDLL64 A fully functional implant that allows files to be exfiltrated, overwritten and deleted by ESET. Run a PowerShell command. Get comprehensive information about the underlying machine.
Other features include listing active sessions, creating and terminating processes, enumerating drives, and compressing directories.
Wslink was first documented in October 2021 by a Slovak cybersecurity firm, described as a “simple but notable” malware loader capable of executing received modules in memory.
ESET Researcher Vladislav Hrčka said: “The Wslink loader listens on ports specified in its configuration and can serve additional connecting clients or load various payloads.”
Malware-powered intrusions are said to be highly targeted due to the fact that only a handful of detections have been observed so far in Central Europe, North America, and the Middle East.
In March 2022, ESET detailed how the malware uses “advanced multi-layered virtual machine” obfuscation tools to evade detection and resist reverse engineering.
The link to Lazarus Group is due to duplicate behavior and code from previous campaigns (Operation GhostSecret and Bankshot). These are believed to be due to advanced and persistent threats.
It contains similarities to the GhostSecret sample detailed by McAfee in 2018. This sample comes with a “Data Collection and Implant Installation Component” that runs as a service, mirroring the same behavior of Wslink.
ESET added credibility to Lazarus’ involvement by stating that the payload was uploaded to the VirusTotal malware database from South Korea, where some of the victims are located.
The findings again point to the sheer number of hacking tools used by the Lazarus group to compromise their targets.
“The Wslink payload is dedicated to providing a means to obtain extensive information about the underlying system that may later be leveraged for file manipulation, further code execution, and lateral movement. ,” said ESET.
