Researchers have found a new payload delivered by the Wslink malware downloader and say that it is possibly part of the cache of tools maintained and deployed by the Lazarus Group attack that is aligned with the government of North Korea.
In 2021, ESET researchers discovered the Wslink loader, which has a couple of unique characteristics, most notably its ability to run as a server rather than as a client. Like other loaders, Wslink serves as a way for the actors who deploy it to download and install other pieces of malware or tools onto a compromised machine. At the time that ESET analyzed the loader, the researchers were not able to find the payload that Wslink delivered, but they recently identified a payload, which they call WinorDLL64.
The payload was found on a handful of victim machines in locations that the Lazarus Group has targeted in its past operations, including Europe and North America. There also are some overlaps in the code of WinorDLL and other samples used by the Lazarus Group, including Bankshot and GhostSecret. The ESET researchers identified some behavioral similarities with known Lazarus Group tools, as well, but were not definitive in their opinion that WinorDLL is deployed by the group.
In terms of its functionality, the newly found payload is not exotic but is effective nonetheless.
“WinorDLL64 serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, and executes additional commands. Interestingly, it communicates over a TCP connection that was already established by its loader and uses some of the loader’s functions,” Vladislav Hrčka of ESET said in a new analysis of the payload.
“The backdoor is a DLL with a single unnamed export that accepts one parameter – a structure for communication. The structure contains a TLS-context – socket, key, IV – and callbacks for sending and receiving messages encrypted with 256-bit AES-CBC that enable WinorDLL64 to exchange data securely with the operator over an already established connection.”
The WinorDLL payload is designed to accept a few commands, such as executing a Powershell command, compressing and downloading a directory, creating or killing a process, gathering system information, or listing files in a directory.
The Lazarus Group is a tenacious and prolific attack team that is closely aligned with the interests of the North Korean government and has conducted some very large operations in the past. The group maintains a large arsenal of custom tools and malware that it deploys as needed.
“Wslink’s payload is dedicated to providing means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged later for lateral movement, due to specific interest in network sessions. The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads,” Hrčka said. “WinorDLL64 contains an overlap in the development environment, behavior, and code with several Lazarus samples, which indicates that it might be a tool from the vast arsenal of this North-Korea aligned APT group.”