Wslink, a previously undescribed loader for Windows binaries

Pierluigi Paganini October 28, 2021

ESET researchers discovered a previously undescribed loader for Windows binaries, tracked as Wslink, that runs as a server and executes modules in memory.

ESET researchers discovered Wslink, a previously undescribed loader for Windows binaries that, unlike similar loaders, runs as a server and executes modules in memory. The name Wslink comes from one of its DLLs.

At this time, researchers have yes to determine the initial compromise vector, they observed only a few infections in the past two years in Central Europe, North America, and the Middle East.

Most of the samples analyzed by ESET are packed with MPRESS and some parts of the code are virtualized. The researchers were not able to obtain any of the modules the loader can receive by the C2.

ESET did not find any similarities between the TTPs associated with these infections that could link them to a known threat actor.

“Wslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry value of the service’s Parameters key. The preceding component that registers the Wslink service is not known.” reads the analysis published by ESET. “Accepting a connection is followed by an RSA handshake with a hardcoded 2048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption.”

Wslink runs as a service and can accept modules in the form of encrypted portal executable (PE) files only from a specific IP address. The decrypted module is loaded into memory using the MemoryModule library.

The modules reuse the loader’s functions for communication, keys and sockets, this implies that the malware don’t have to initiate new outbound connections.

The researchers published the full source code for the loader in the ESET WslinkClient GitHub repository, they highlight that the code could not be used for malicious purposes because the current release still requires a significant amount of work to be weaponized.

“Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory.” concludes ESET.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment