WinorDLL64 Backdoor Linked to Lazarus Group

A payload of the Wslink downloader named WinorDLL64 has been linked to the North Korea-aligned highly developed persistent danger (APT) regarded as Lazarus Group.

The link was created by cybersecurity researchers at Eset, who posted an posting about it earlier nowadays.

“Wslink […] is a loader for Windows binaries that, contrary to other this sort of loaders, runs as a server and executes acquired modules in memory,” wrote Eset malware analyst Vladislav Hrčka.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

According to the advisory, the first Wslink compromise vector was not recognized, but the malware was uploaded to VirusTotal from South Korea next the publication of the corporation advisory.

“The WinorDLL64 payload serves as a backdoor that most notably acquires considerable system information and facts, supplies signifies for file manipulation, these kinds of as exfiltrating, overwriting, and eradicating files, and executes further commands,” wrote Hrčka.

Even more, the Wslink loader listens on a port specified in the file configuration. It can reportedly serve other connecting customers and load extra payloads.

Initially viewed by the Eset team in 2021, Wslink was not promptly associated by the security specialists with Lazarus. The relationship was built only not long ago owing to an overlap in the specific location, actions and code with recognized Lazarus samples. In certain, the overlaps have been observed with two Lazarus-attributed campaigns: procedure GhostSecret and the Bankshot implant.

“WinorDLL64 incorporates an overlap in the growth surroundings, habits, and code with many Lazarus samples, which indicates that it may well be a device from the huge arsenal of this North-Korea-aligned APT group,” Hrčka stated.

A lot more info about the samples analyzed by Eset, as nicely as associated indicators of compromise (IoT), are presented in the company’s advisory.

The technological publish-up arrives weeks after the US Federal Bureau of Investigation (FBI) linked Lazarus Team to the $100m theft from cryptocurrency organization Harmony. More lately, the APT was observed committing an “operational security oversight” while targeting investigate, clinical and power sector corporations.