Hackers could use new Wslink malware in highly targeted cyber attacks

Security researchers have discovered a new malware strain that acts as a server but doesn’t appear to be similar to other malware hackers use.

The malware, dubbed Wslink, has only been seen a few times over the last two years with detections in Central Europe, North America, and the Middle East, according to researchers at Eset. It was named Wslink after one of its dynamic link libraries (DLLs), and researchers believe hackers are using it in highly targeted campaigns because the malware has been detected so few times.

The malware is distinctive because it runs as a server and executes received modules in memory. Researchers said the initial compromise vector is not known. They also note that most of the samples are packed with MPRESS, a free high-performance packer, and some parts of the code are virtualized.

“Unfortunately, so far we have been unable to obtain any of the modules it is supposed to receive. There are no code, functionality, or operational similarities that suggest this is likely to be a tool from a known threat actor group,” said ESET researcher Vladislav Hrčka.

The new malware runs as a service on infected machines and listens via a computer’s ports to accept connections to those ports. Accepting a connection is followed by an RSA handshake with a hardcoded 2,048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption, according to researchers.

“Interestingly, the most recently received encrypted module with its signature is stored globally, making it available to all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded matches the previous one,” said Hrčka.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Free download

He added that the malware is a simple yet remarkable loader that runs as a server and executes received modules in memory, unlike those usually seen.

“Interestingly, the modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data,” said Hrčka.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download