Cybersecurity firm ESET has discovered the WinorDLL64 payload, a backdoor that communicates over a connection established by the Wslink downloader. The loader runs as a server and executes received modules in memory, unlike other such loaders that load a payload or malware onto an already compromised system. The Wslink compromise vector is yet to be identified.
The WinorDLL64 payload acquires system information, provides means for file manipulation, such as exfiltrating, overwriting, and removing files, and executes additional commands. ESET has attributed the Lazarus APT group to the malware with low confidence based on the targeted region and similarities in behavior and code with known Lazarus samples.
The Lazarus APT group is responsible for high-profile incidents such as the Sony Pictures Entertainment hack and cyberheists worth tens of millions of dollars in 2016. The group is also responsible for disruptive attacks against South Korean public and critical infrastructure since 2011. The US-CERT and FBI refer to the Lazarus APT group as HIDDEN COBRA.
ESET believes that Lazarus is a large and systematically organized team consisting of several subgroups that utilize a vast toolset. In 2021, ESET discovered a Lazarus tool that targeted an aerospace company employee in the Netherlands and a political journalist in Belgium. The tool took advantage of the CVE-2021-21551 vulnerability, leading to the blinding of security solutions on compromised machines. ESET has also provided an extensive description of the virtual machine structure used in samples of Wslink.
