BRATISLAVA – ESET researchers have discovered a unique and previously undocumented loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. A loader is malicious code (a program) used for loading another executable's object files onto the infected machine, in this case directly into the memory. ESET has seen only a handful of Wslink samples in its telemetry in the past two years, with detections in Central Europe, North America, and the Middle East.
“Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory,” says ESET researcher Vladislav Hrčka, who discovered Wslink. “We have named this new malware Wslink after one of its DLLs,” he adds.
There are no code, functionality or operational similarities that suggest this is likely to be a tool from a known threat actor group. Additionally, its modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink also features a well-developed cryptographic protocol to protect the exchanged data.
“We have implemented our own version of a Wslink client, which might be of interest to beginners in malware analysis as it shows how one can reuse and interact with the loader’s exiting functions. Our analysis also serves as an informative resource documenting this threat for cybersecurity defenders,” explains Hrčka. The full source code for the client is available in our WslinkClient GitHub repository.
For more technical details about Wslink, read the blogpost “Wslink: Unique and undocumented malicious loader that, remarkably, runs as a server” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multi-factor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defences in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centres worldwide, working in support of our shared future. For more information, visit our website or follow us on LinkedIn, Facebook, and Twitter.