10.1 C
Tuesday, April 23, 2024

Lazarus Group Unleashes New Backdoor Malware through Wslink Downloader

A new backdoor linked to the notorious North Korea-aligned Lazarus Group has been discovered by researchers.

The malware downloader, named Wslink, has been found to be associated with a new payload, dubbed WinorDLL64, which can exfiltrate, overwrite, and delete files, as well as execute PowerShell commands and obtain comprehensive information about the underlying machine.

- Advertisement -
lazarus group malware

According to ESET Wslink was first documented in October 2021, where it was described as a “simple yet remarkable” malware loader capable of executing received modules in memory. The payload, however, can be used for lateral movement, given its specific interest in network sessions.

The malware has been found to be highly targeted, with only a few detections observed to date in Central Europe, North America, and the Middle East. Additionally, ESET noted that the malware uses an “advanced multi-layered virtual machine” obfuscator to evade detection and resist reverse engineering.

Links to Lazarus Group

Links to the Lazarus Group have been found due to similarities in behavior and code to previous campaigns, including Operation GhostSecret and Bankshot, which have been attributed to the advanced persistent threat.

These similarities include features similar to the GhostSecret samples detailed by McAfee in 2018, which also come with a “data-gathering and implant-installation component” that runs as a service, mirroring the behavior of Wslink.

The payload was uploaded to the VirusTotal malware database from South Korea, where some of the victims are located, adding credence to the involvement of the Lazarus Group.

The findings highlight the vast array of hacking tools employed by the Lazarus Group to infiltrate its targets. “Wslink’s payload is dedicated to providing means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged later for lateral movement,” said ESET.

In conclusion, the discovery of the new backdoor associated with the Wslink malware downloader and linked to the Lazarus Group is a reminder of the constant threat of cyberattacks and the need for heightened cybersecurity measures. As the world becomes increasingly digital, it is essential to remain vigilant and proactive in protecting sensitive information and critical infrastructure.

Website | + posts

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.


Also Read