A Wslink downloader payload named WinorDLL64 is linked to a North Korea-related Advanced Persistent Threat (APT) known as the Lazarus Group.
The connection was made by a cybersecurity researcher Essetpublished an article about it earlier today.
“Uzlink […] is a loader for Windows binaries, and unlike other such loaders, it runs as a server and executes received modules in memory,” writes Eset Malware Analyst Vladislav Hrčka.
According to the advisory, no initial Wslink compromise vector was identified, but the malware was uploaded to VirusTotal from South Korea after the company’s advisory was published.
“The WinorDLL64 payload acts as a backdoor, among other things, to retrieve extensive system information, provide file manipulation methods such as extracting, overwriting, deleting files, and executing additional commands,” wrote Hrčka.
Additionally, the Wslink loader listens on the port specified in the file configuration. It can reportedly serve other connected clients and load additional payloads.
First discovered by the Eset team in 2021, Wslink was not immediately associated with Lazarus by security experts. This connection was created very recently as the target region, behavior, and code overlap with known Lazarus samples. In particular, an overlap was observed in his two campaigns attributed to Lazarus. Operation Ghost Secret and Bankshot implants.
“WinorDLL64 contains overlaps in development environment, behavior, and code with several Lazarus samples. It shows that there is something,” explains Hrčka.
More information about the samples analyzed by Eset and the associated indicators of compromise (IoT) is provided on the company’s website. Recommendation.
A technical report will follow the US Federal Bureau of Investigation (FBI) in the coming weeks. Linked Lazarus Group To steal $100 million from cryptocurrency company Harmony. Recently, APT has been observed. You are making an “operational security mistake” It targets companies in the research, medical and energy sectors.
