Wslink downloader may have links to the North Korean Lazarus Group

Researchers reported discovering one of the payloads of the Wslink downloader first uncovered in 2021, saying with “low confidence” that it could be linked to the North Korean-backed Lazarus Group best known for the 2014 Sony hack.

In a Feb. 23 blog post, ESET researchers named the payload WinorDLL64 based on its filename, WinorDLL64.dll. The payload contains an overlap in the development environment, behavior and code with several Lazarus samples.

Along with the Sony hack, Lazarus was responsible for stealing tens-of-millions-of-dollars in a 2016 cyberheist, the WannaCry outbreak in 2017, and has a long history of disruptive attacks against South Korean public and critical infrastructure. US-CERT and the FBI call the group Hidden Cobra.

ESET telemetry has seen only a few detections of Wslink in Central Europe, North America, and the Middle East.

The researchers said the discovery was significant because Wslink’s payload can provide a means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged for lateral movement. The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads.

WinorDLL64 serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, and executes additional commands. It communicates over a TCP connection that was already established by its loader and uses some of the loader’s functions. The ESET researchers have "high confidence" it’s Wslink because its unique structure is used everywhere in the expected way: the TLS-context and other meaningful parameters are supplied in the anticipated order to the correct callbacks.

Is it Lazarus or a copycat group?

James Lively, endpoint security research specialist at Tanium, explained that this general threat is indicative of what one would see from an APT, which are typically surgical in nature pursuing their targets for a variety of reasons. Lively said syndicates such as the Lazarus Group primarily go after organizations for financial gains or political goals, adding that it’s incredibly difficult to detect the WinorDLL64 backdoor as it can operate solely from memory.

Lively added that monitoring memory to the extent that it would take to detect this type of backdoor is resource-intensive and often impractical. 

“Security teams should employ extensive patching practices to vulnerable services and software to minimize the avenues for malicious actors to gain access to their network,” said Lively. Additionally, they should deploy anti-phishing campaigns and training to their users to raise awareness about identifying and reporting malicious emails and links.”

Andrew Barratt, vice president at Coalfire, said ESET has a highly respected team and have products that Coalfire has leveraged in its own forensics work. Barratt said it was interesting that ESET was highlighting similarities, but have “low levels” of confidence in the source. 

“This could be linked with the Lazarus Group. However, it could equally be copycat behavior that’s trying to stay off radar with limited deployments, perhaps due to being used on highly target attacks or as part of a malware-for-hire group,” said Barratt. “This would be consistent with the type of tool. It could be used by initial access vendors who sell access for others to then pull down and execute more bespoke malware depending on the target that has been compromised.”