New Wslink Malware Loader Runs as a Server and Executes Modules in Memory

guest · Oct 28, 2021

New Wslink Malware Loader Runs as a Server and Executes Modules in Memory
October 28, 2021
https://thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html

Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East.

Codenamed "Wslink" by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. There are no specifics available on the initial compromise vector and there are no code or operational overlaps that tie this tool to a known threat actor group.
Click to expand...

The Slovak cybersecurity firm noted that it has seen only a handful of detections in the past two years, suggesting that it could be used in highly-targeted cyber infiltrations.

Wslink is designed to run as a service and can accept encrypted portal executable (PE) files from a specific IP address, which is then decrypted and loaded into memory prior to the execution. To achieve this, the client (i.e., the victim) and the server perform a handshake that involves the exchange of cryptographic keys necessary to encrypt the modules using AES.
Click to expand...

ESET: Wslink: Unique and undocumented malicious loader that runs as a server

There are no code, functionality or operational similarities to suggest that this is a tool from a known threat actor
Conclusion
Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory.

Interestingly, the modules reuse the loader’s functions for communication, keys and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data.
Click to expand...

Minimalist · Mar 28, 2022

Under the hood of Wslink’s multilayered virtual machine

ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. There are no code, functionality or operational similarities that suggest this is likely to be a tool from a known threat actor.
Click to expand...

https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-virtual-machine/

Rasheed187 · Apr 3, 2022

Minimalist said: ↑

Under the hood of Wslink’s multilayered virtual machine

https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-virtual-machine/
Click to expand...

I'm not going to lie, I didn't really understand how this malware operates. I did read that it runs as a service, so I suppose if you block this service process from running you can block it post execution.

Log in or Sign up

New Wslink Malware Loader Runs as a Server and Executes Modules in Memory

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

Log in or Sign up

New Wslink Malware Loader Runs as a Server and Executes Modules in Memory

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

Useful Searches