BRATISLAVA — October 27, 2021 — ESET researchers have discovered a unique and previously undocumented loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. A loader is malicious code (a program) used for loading another executable’s object files onto the infected machine, in this case directly into the memory. ESET has seen only a handful of Wslink samples in its telemetry in the past two years, with detections in Central Europe, North America, and the Middle East.
“Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory,” says ESET researcher Vladislav Hrčka, who discovered Wslink. “We have named this new malware Wslink after one of its DLLs,” he adds.
There are no code, functionality or operational similarities that suggest this is likely to be a tool from a known threat actor group. Additionally, its modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink also features a well-developed cryptographic protocol to protect the exchanged data.
“We have implemented our own version of a Wslink client, which might be of interest to beginners in malware analysis as it shows how one can reuse and interact with the loader’s exiting functions. Our analysis also serves as an informative resource documenting this threat for cybersecurity defenders,” explains Hrčka. The full source code for the client is available in our WslinkClient GitHub repository.
For more technical details about Wslink, read the blogpost “Wslink: Unique and undocumented malicious loader that, remarkably, runs as a server” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.