New Wslink malware loader runs as a server and runs modules in memory
On Wednesday, cybersecurity researchers unveiled a “simple but remarkable” malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East.
Codenamed “Wslink” by ESET, this previously undocumented malware differs from others in that it runs as a server and executes modules received in memory. There are no details available on the initial compromise vector and there is no code or operational overlap that links this tool to a group of known threat actors.
The Slovakian cybersecurity firm noted that it has only seen a handful of detections in the past two years, suggesting it could be used in highly targeted cyber infiltrations.
Wslink is designed to run as a service and can accept portal executable (PE) files encrypted from a specific IP address, which is then decrypted and loaded into memory before execution. To achieve this, the client (i.e. the victim) and the server perform a handshake that involves exchanging the cryptographic keys needed to encrypt the modules using AES.
“It is interesting to note that the modules reuse the functions of the charger for communication, keys and sockets; they therefore do not have to initiate new outgoing connections, ”said ESET researcher Vladislav Hrčka. “Wslink also has a well-developed cryptographic protocol to protect the data exchanged.”
The findings come as researchers at Zscaler and Cisco Talos have disclosed another malware loader called SQUIRRELWAFFLE which is distributed via spam email campaigns to deploy Qakbot and Cobalt Strike on compromised systems.