Wslink, a previously undescribed loader for Windows binaries

ESET researchers discovered a previously undescribed loader for Windows binaries, tracked as Wslink, that runs as a server and executes modules in memory.

ESET researchers discovered Wslink, a previously undescribed loader for Windows binaries that, unlike similar loaders, runs as a server and executes modules in memory. The name Wslink comes from one of its DLLs.

At this time, researchers have yes to determine the initial compromise vector, they observed only a few infections in the past two years in Central Europe, North America, and the Middle East.

Most of the samples analyzed by ESET are packed with MPRESS and some parts of the code are virtualized. The researchers were not able to obtain any of the modules the loader can receive by the C2.

ESET did not find any similarities between the TTPs associated with these infections that could link them to a known threat actor.

“Wslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry value of the service’s Parameters key. The preceding component that registers the Wslink service is not known.” reads the analysis published by ESET. “Accepting a connection is followed by an RSA handshake with a hardcoded 2048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption.”

Wslink runs as a service and can accept modules in the form of encrypted portal executable (PE) files only from a specific IP address. The decrypted module is loaded into memory using the MemoryModule library.

The modules reuse the loader’s functions for communication, keys and sockets, this implies that the malware don’t have to initiate new outbound connections.

The researchers published the full source code for the loader in the ESET WslinkClient GitHub repository, they highlight that the code could not be used for malicious purposes because the current release still requires a significant amount of work to be weaponized.

“Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory.” concludes ESET.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.