Hackers could use new Wslink malware in highly targeted cyber attacks

News
By Rene Millman
published

Malware acts as a server, but its origins baffle boffins

Malware in code
(Image credit: Shutterstock)

Security researchers have discovered a new malware strain that acts as a server but doesn’t appear to be similar to other malware hackers use.

Malware discovered in JavaScript Library accessed by millions each week FontOnLake: "Sophisticated" malware targets Linux systems Malware pretending to be Amnesty International antivirus for Pegasus discovered Malware developers create malformed code signatures to avoid detection

The malware, dubbed Wslink, has only been seen a few times over the last two years with detections in Central Europe, North America, and the Middle East, according to researchers at Eset. It was named Wslink after one of its dynamic link libraries (DLLs), and researchers believe hackers are using it in highly targeted campaigns because the malware has been detected so few times.

The malware is distinctive because it runs as a server and executes received modules in memory. Researchers said the initial compromise vector is not known. They also note that most of the samples are packed with MPRESS, a free high-performance packer, and some parts of the code are virtualized.

“Unfortunately, so far we have been unable to obtain any of the modules it is supposed to receive. There are no code, functionality, or operational similarities that suggest this is likely to be a tool from a known threat actor group,” said ESET researcher Vladislav Hrčka.

The new malware runs as a service on infected machines and listens via a computer’s ports to accept connections to those ports. Accepting a connection is followed by an RSA handshake with a hardcoded 2,048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption, according to researchers.

“Interestingly, the most recently received encrypted module with its signature is stored globally, making it available to all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded matches the previous one,” said Hrčka.

RELATED RESOURCE

The best defence against ransomware

How ransomware is evolving and how to defend against it

FREE DOWNLOAD

He added that the malware is a simple yet remarkable loader that runs as a server and executes received modules in memory, unlike those usually seen.

“Interestingly, the modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data,” said Hrčka.

Rene Millman
Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.