ESET researchers have discovered the WinorDLL64 backdoor, one of the payloads of the Wslink downloader. The targeted region, and overlap in behaviour and code, suggest the tool is used by the infamous North Korea-aligned APT group Lazarus. Wslink’s payload can exfiltrate, overwrite, and remove files, execute commands, and obtain extensive information about the underlying system.
Vladislav Hrčka, the ESET researcher who made the discovery said “Wslink, which has the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. As the wording suggests, a loader serves as a tool to load a payload, or the actual malware, onto the already compromised system.”
Hrčka added “The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions. The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads,” he adds.
WinorDLL64 contains overlaps in both behaviour and code with several Lazarus samples, which indicates that it might be a tool from the vast arsenal of this North Korea-aligned APT group.
After ESET Research released a blog post on the Wslink loader, an unidentified payload related to it was submitted to VirusTotal from South Korea. The Wslink loader has only been detected a few times by ESET in Central Europe, North America, and the Middle East. AhnLab researchers have confirmed instances of Wslink affecting victims in South Korea, which is significant because the traditional targets of Lazarus are in that region and ESET has only seen a small number of detections.
This notorious North Korea-aligned group, which has been active at least since 2009, is to blame for high-profile events like the Sony Pictures Entertainment hack, the multi-million dollar cyberheists in 2016, the WannaCry (also known as WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. The FBI and US-CERT refer to this organisation as HIDDEN COBRA.
