Probably hackers have developed a new tool to spy on half the world.
ESET specialists have discovered a new backdoor associated with a malware downloader called Wslink. This tool is probably used by the North Korean group Lazarus.
The payload, dubbed WinorDLL64, is a full-featured implant that executes commands in memory and can:
extract, overwrite and delete files;
execute PowerShell commands;
collect confidential information about the machine;
list active sessions;
create and terminate processes;
The Wslink payload could be used later for lateral movement, the researchers said. The Wslink loader listens on the port specified in the configuration and can handle additional connecting clients as well as load the payload.
Backdoor attacks are considered targeted as there have only been a handful of detections in Central Europe, North America and the Middle East to date.
In March 2022, ESET experts discovered that the malware uses an "extended layered virtual machine" obfuscator to evade detection and resist reverse engineering.
Experts attribute this tool to the Lazarus Group due to the similarity of the code to the GhostSecret samples from the group's previous campaigns, which come with a "data collection and implant component" that has the same behavior as Wslink.
ESET said the payload was uploaded to the VirusTotal database from South Korea, where some of the victims are located, also pointing to Lazarus' involvement.
The experts concluded that the Wslink payload provides a means for manipulating files, executing code, and obtaining extensive information about the underlying system, which can possibly be used later for lateral movement.