The distribution area, behavior and code suggest that the tool is used by the North Korea-affiliated APT Lazarus group. The backdoor can exfiltrate, overwrite and remove files, execute commands and obtain information about your system
ESET, a global leader in the cybersecurity market, has discovered the WinorDLL64 backdoor, one of the payloads of the downloader Wslink. Several elements suggest that the tool is used by the APT Lazarus group affiliated with North Korea. The Wslink payload is capable of exfiltrating, overwriting, and removing files, executing commands, and obtaining extensive information about the underlying system.
"Wslink, whose file name is WinorLoaderDLL64.dll, is a loader for Windows binaries which, unlike other loaders of this type, operates as a server and executes the modules received in memory. As the wording suggests, a loader serves as a tool to load a payload, or actual malware, onto the already compromised system", he explains Vladislav Hrčka, il researchatore ESET who made the discovery. "The Wslink payload can be exploited later for lateral movement, thanks to its specific interest in network sessions. The Wslink loader listens on a port specified in the configuration and can serve other connected clients and even load various payloads," he adds.
WinorDLL64 contains overlaps in both behavior and code with several Lazarus samples, indicating that it could be a tool in this APT group's vast arsenal.
The initially unknown Wslink payload was uploaded to VirusTotal from South Korea shortly after an ESET Research blog post about the Wslink loader was published. ESET telemetry detected only a few cases of Wslink loaders in Central Europe, North America and the Middle East. AhnLab researchers confirmed Wslink's South Korean victims in their telemetry, which is a relevant indicator, considering Lazarus' traditional targets and the fact that ESET Research observed only a few detections.
Active since at least 2009, this infamous group is responsible for high-profile incidents such as the hack of Sony Pictures Entertainment, the tens of millions of dollars cyber frauds of 2016, the epidemic of WannaCryptor (aka WannaCry) in 2017 and a long series of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA.
For more technical information on WinorDLL64, please see the post WinorDLL64: a backdoor from Lazarus' vast arsenal? su WeLiveSecurity.
