Hackers could use new Wslink malware in highly targeted cyber attacks

Malware acts as a server, but its origins baffle boffins

Security researchers have discovered a new malware strain that acts as a server but doesn’t appear to be similar to other malware hackers use.

The malware, dubbed Wslink, has only been seen a few times over the last two years with detections in Central Europe, North America, and the Middle East, according to researchers at Eset. It was named Wslink after one of its dynamic link libraries (DLLs), and researchers believe hackers are using it in highly targeted campaigns because the malware has been detected so few times.

The malware is distinctive because it runs as a server and executes received modules in memory. Researchers said the initial compromise vector is not known. They also note that most of the samples are packed with MPRESS, a free high-performance packer, and some parts of the code are virtualized.

“Unfortunately, so far we have been unable to obtain any of the modules it is supposed to receive. There are no code, functionality, or operational similarities that suggest this is likely to be a tool from a known threat actor group,” said ESET researcher Vladislav Hrčka.

The new malware runs as a service on infected machines and listens via a computer’s ports to accept connections to those ports. Accepting a connection is followed by an RSA handshake with a hardcoded 2,048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption, according to researchers.

“Interestingly, the most recently received encrypted module with its signature is stored globally, making it available to all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded matches the previous one,” said Hrčka.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

He added that the malware is a simple yet remarkable loader that runs as a server and executes received modules in memory, unlike those usually seen.

“Interestingly, the modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data,” said Hrčka.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Sophos Intercept X Advanced review: AI-powered protection
endpoint security

Sophos Intercept X Advanced review: AI-powered protection

30 Nov 2021
SMBs urged to update software ahead of Black Friday
e commerce

SMBs urged to update software ahead of Black Friday

25 Nov 2021
US adds dozen Chinese tech companies to trade blacklist
Policy & legislation

US adds dozen Chinese tech companies to trade blacklist

25 Nov 2021
RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Jack Dorsey resigns as Twitter CEO
business management

Jack Dorsey resigns as Twitter CEO

29 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021