Hackers could use new Wslink malware in highly targeted cyber attacks
Malware acts as a server, but its origins baffle boffins
The malware, dubbed Wslink, has only been seen a few times over the last two years with detections in Central Europe, North America, and the Middle East, according to researchers at Eset. It was named Wslink after one of its dynamic link libraries (DLLs), and researchers believe hackers are using it in highly targeted campaigns because the malware has been detected so few times.
The malware is distinctive because it runs as a server and executes received modules in memory. Researchers said the initial compromise vector is not known. They also note that most of the samples are packed with MPRESS, a free high-performance packer, and some parts of the code are virtualized.
“Unfortunately, so far we have been unable to obtain any of the modules it is supposed to receive. There are no code, functionality, or operational similarities that suggest this is likely to be a tool from a known threat actor group,” said ESET researcher Vladislav Hrčka.
The new malware runs as a service on infected machines and listens via a computer’s ports to accept connections to those ports. Accepting a connection is followed by an RSA handshake with a hardcoded 2,048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption, according to researchers.
“Interestingly, the most recently received encrypted module with its signature is stored globally, making it available to all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded matches the previous one,” said Hrčka.
The best defence against ransomware
How ransomware is evolving and how to defend against itFree download
He added that the malware is a simple yet remarkable loader that runs as a server and executes received modules in memory, unlike those usually seen.
“Interestingly, the modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data,” said Hrčka.
Shining light on new 'cool' cloud technologies and their drawbacks
IONOS Cloud Up! Summit, Cloud Technology Session with Russell BarleyWatch now
Build mobile and web apps faster
Three proven tips to accelerate modern app developmentFree download
Reduce the carbon footprint of IT operations up to 88%
A carbon reduction opportunityFree Download
Comparing serverless and server-based technologies
Determining the total cost of ownershipFree download