Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Wslink. Show all posts

Lazarus's Latest Weapons: Wslink Loader and WinorDLL64 Backdoor


Cyberattacks have become increasingly advanced, and one of the most dangerous threats that companies face these days is backdoors. Backdoors are a type of malware that gives unauthorized access to a system to hackers, letting them steal important info, interrupt operations, and impact security. One such backdoor that surfaced recently is WinorDLL64, linked with the North Korean hacking group, Lazarus.

What is Wslink and WinorDLL64?

ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory. 

As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus. 

About WinorDLL64?

ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory. As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus. 

WinorDLL64 is a backdoor that was first found by cybersecurity experts in 2019. It is a 64-bit variant of the original Winor backdoor, which the Lazarus group used in its previous attacks. WinorDLL64 is built to be highly deceptive, which makes it difficult for experts to identify.

How does WinorDLL64 work?

WinorDLL64 is usually distributed via spear-phishing emails or malicious downloads. Once it compromises a system, it makes a backdoor that lets threat actors remotely gain entry and control the attacked system. It is built to avoid detection by using a number of techniques, this includes encrypting the communication process and concealing its sight on the system.

WeLiveSecurity by ESET reports "active since at least 2009, this infamous North-Korea aligned group is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA."

Risks associated with WinorDLL64?

WinorDLL64 is a highly advanced backdoor that allows threat actors full control over the compromised system. Threat actors can steal important info, add malware, and do various malicious activities while evading detection. The dangers associated with WinorDLL64 are consequential, especially for companies that depend on sensitive data or critical systems.

How to protect yourself against WinorDLL64?

In the case of malware, safety is fundamental when it comes to defending against WinorDLL64. Companies can take various measures to decrease the chance of compromise. This includes:

Familiarizing employees with the dangers of phishing emails and inspiring them to be careful while opening attachments or suspicious links.

Maintaining software and security systems up-to-date to make sure all vulnerabilities are patched. 

Enforcing two-factor authentication and other login controls to reduce the damage from cyberattacks. 

Daily monitoring of network activity and system logs for any hints of malicious behavior.

Using a trusted anti-malware solution that can find and stop WinorDLL64 and various kinds of malware.

In summary, we can say that WinorDLL64 is a highly effective backdoor that is a significant threat to companies. It is believed to be the work of the North Korean hacking group, Lazarus, and is designed to evade detection and provide attackers with complete control over an infected system. Organizations can take various measures to defend against WinorDLL64, this includes educating the workplace, having the latest software, enforcing access controls, checking network activity, and using anti-malware software. With a proactive approach to cybersecurity, companies can lower the threat of a successful cyber attack and safeguard their precious systems and data.