ESET researchers have discovered a unique and previously undocumented malware targeting Windows code. Unlike the others, this malware works like a server and executes the received modules in memory. This malicious installer, called wslink, targets Central Europe, North America and the Middle East.
A type of installer, this type of malware installs other executables on affected machines; being used as a malicious piece of code, a program. The malware targets memory directly. ESET has only seen a handful of Wslink instances in its telemetry over the past two years. The detected specimens are located in Central Europe, North America and the Middle East.
ESET researcher Vladislav Hrcka, who discovered Wslink, said: “Wslink is a simple but remarkable installer. Unlike other installers we usually come across, it runs as a server and executes imported modules in memory. This new malware is susceptible to this new malware because of one of its DLLs. We named it Wslink.”
There is no code, function or operational similarity to this tool being from a known threat actor group. In addition, its modules reuse loader functions for communication, switches and sockets; so they don’t need to initiate new outgoing connections. Wslink also has a well-developed cryptographic protocol to protect the intercepted data.
Hrcka explains: “We’ve created our own version of a Wslink client that we think might be of interest to newbies to malware analysis. This client demonstrates how to reuse and interact with the output functions of the installer. Also, our analysis is useful for cybersecurity guards. as an informative resource on this threat.” The full source code for the client is available on our WslinkClient GitHub repository.
35347
