There are no code, functionality or operational similarities to suggest that this is a tool from a known threat actor.
ESET researchers have discovered a unique and previously undocumented loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. A loader is malicious code (a program) used for loading another executable’s object files onto the infected machine, in this case directly into the memory. ESET has seen only a handful of Wslink samples in its telemetry in the past two years, with detections in Central Europe, North America, and the Middle East.
“Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory,” says ESET researcher Vladislav Hrčka, who discovered Wslink. “We have named this new malware Wslink after one of its DLLs,” he adds.
There are no code, functionality or operational similarities that suggest this is likely to be a tool from a known threat actor group. Additionally, its modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink also features a well-developed cryptographic protocol to protect the exchanged data.
“We have implemented our own version of a Wslink client, which might be of interest to beginners in malware analysis as it shows how one can reuse and interact with the loader’s exiting functions. Our analysis also serves as an informative resource documenting this threat for cybersecurity defenders,” explains Hrčka. The full source code for the client is available in our WslinkClient GitHub repository.
For more technical details about Wslink, read the blogpost “Wslink: Unique and undocumented malicious loader that, remarkably, runs as a server” on WeLiveSecurity.