A payload of the Wslink downloader named WinorDLL64 has been connected to the North Korea-aligned superior persistent threat (APT) acknowledged as Lazarus Team.
The link was created by cybersecurity scientists at Eset, who revealed an article about it previously currently.
“Wslink […] is a loader for Windows binaries that, contrary to other these kinds of loaders, runs as a server and executes been given modules in memory,” wrote Eset malware analyst Vladislav Hrčka.
According to the advisory, the preliminary Wslink compromise vector was not identified, but the malware was uploaded to VirusTotal from South Korea subsequent the publication of the enterprise advisory.
“The WinorDLL64 payload serves as a backdoor that most notably acquires in depth program information, offers implies for file manipulation, these as exfiltrating, overwriting, and getting rid of data files, and executes added commands,” wrote Hrčka.
Even further, the Wslink loader listens on a port specified in the file configuration. It can reportedly serve other connecting clients and load extra payloads.
First witnessed by the Eset staff in 2021, Wslink was not quickly linked by the security gurus with Lazarus. The connection was produced only lately thanks to an overlap in the focused region, conduct and code with recognized Lazarus samples. In certain, the overlaps were being observed with two Lazarus-attributed campaigns: procedure GhostSecret and the Bankshot implant.
“WinorDLL64 is made up of an overlap in the progress atmosphere, habits, and code with quite a few Lazarus samples, which implies that it could possibly be a resource from the large arsenal of this North-Korea-aligned APT group,” Hrčka spelled out.
A lot more info about the samples analyzed by Eset, as well as affiliated indicators of compromise (IoT), are supplied in the firm’s advisory.
The complex write-up comes months just after the US Federal Bureau of Investigation (FBI) connected Lazarus Team to the $100m theft from cryptocurrency firm Harmony. A lot more lately, the APT was noticed committing an “operational security slip-up” though targeting investigation, medical and energy sector firms.
Some parts of this article are sourced from:
www.infosecurity-journal.com