A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories. Wslink was first documented by the Slovak cybersecurity firm in October 2021, describing it as a "simple yet remarkable" malware loader that's capable of executing received modules in memory.
"The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions," ESET researcher Vladislav Hrčka said. "The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads." Intrusions leveraging the malware are said to be highly targeted owing to the fact that only a handful of detections have been observed to date in Central Europe, North America, and the Middle East. In March 2022, ESET elaborated on the malware's use of an "advanced multi-layered virtual machine" obfuscator to evade detection and resist reverse engineering.
This malware is concerning because of its ability for lateral movement and its evasion techniques. This malware is something to keep an eye out for, and if you think you may have been infected, reach out to a professional for help.