Wslink Downloader May Have Links To North Korean Lazarus Group

Researchers reported discovering one of the payloads of the Wslink downloader first uncovered in 2021, saying with “low confidence” that it could be linked to the North Korean-backed Lazarus Group best known for the 2014 Sony hack.

In a Feb. 23 blog post, ESET researchers named the payload WinorDLL64 based on its filename, WinorDLL64.dll. The payload contains an overlap in the development environment, behavior and code with several Lazarus samples.

Along with the Sony hack, Lazarus was responsible for stealing tens-of-millions-of-dollars in a 2016 cyberheist, the WannaCry outbreak in 2017, and has a long history of disruptive attacks against South Korean public and critical infrastructure. US-CERT and the FBI call the group Hidden Cobra.

ESET telemetry has seen only a few detections of Wslink in Central Europe, North America, and the Middle East.

The researchers said the discovery was significant because Wslink’s payload can provide a means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged for lateral movement. The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads.

WinorDLL64 serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, and executes additional commands. It communicates over a TCP connection that was already established by its loader and uses some of the loader’s functions. The ESET researchers have “high confidence” it’s Wslink because its unique structure is used everywhere in the expected

Read more

Explore the site

More from the blog

Latest News