North Korea-affiliated APT Lazarus group is most likely behind ESET’s discovery of the WinorDLL64 backdoor, which can obtain information about your system. WinorDLL64 is one of the payloads of Wslink downloader. The Wslink payload is capable of exfiltrating, overwriting and removing files, executing commands and obtaining extensive information about the underlying system.

How the payload is used

Vladislav Hrčka, ESET researcher who made the discovery

Wslink, whose file name is WinorLoaderDLL64.dll, is a loader for Windows binaries. Unlike other loaders of this type, it acts as a server and executes received modules in memory. As the wording suggests, a loader serves as a tool for load a payload, or the actual malware, on the already compromised system. The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions. The Wslink loader listens on a port specified in the configuration and can serve other connected clients and even load various payloads.

WinorDLL64 backdoor discovered

WinorDLL64 contains overlap in both behavior and code with several Lazarus samples. This indicates that it could be a tool in this APT group’s vast arsenal. The initially unknown Wslink payload was uploaded to VirusTotal from South Korea shortly after an ESET Research blog post was published on the Wslink loader. ESET’s telemetry found only a few cases of Wslink loaders in Central Europe, North America and the Middle East. AhnLab researchers confirmed the South Korean victims of Wslink in their telemetry. Which is a relevant indicator, considering the goals traditional features of Lazarus and the fact that ESET Research has observed only a few detections.

Some examples

Active since at least 2009, this notorious group is responsible for high-profile incidents such as the hack of Sony Pictures Entertainment the tens of millions of dollars of computer fraud in 2016, the epidemic of WannaCryptor (aka WannaCry) from 2017. In addition to a long series of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA.