Wslink Malware Loader Runs as a Server to Execute Modules in Memory
Reading Time: < 1 minute

The new Wslink malware loader runs as a server to execute modules in memory targeting Central Europe, North America, and the Middle East. 

According to ESET, Wslink stands apart from the rest of the malware as it runs as a server and executes received modules in memory. Though no initial compromise vector references are available or a code or operational overlaps have been discovered that can link it with known threat actor groups.

The cybersecurity firm stated that only a handful of instances were discovered in the last two years, which suggests it can be used in highly-targeted cyber infiltrations.

The Wslink malware is designed to run as a service and accept encrypted portal executable (PE) files from a specific IP address. These are later decrypted and loaded into memory prior to the execution. This is achieved by performing a handshake between the server and the client ie. the victim. This involves exchanging cryptographic keys necessary to encrypt the modules using AES.

ESET researcher Vladislav Hrčka said, “Interestingly, the modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data.”

Earlier Cisco Talos disclosed yet another malware loader called SQUIRRELWAFFLE, it’s being distributed via spam email campaigns to deploy Qakbot and Cobalt Strike on compromised systems.

Related Articles:

Cyber Attack in Iran Cripples Gas Stations Across the Country
BillQuick Billing Software Exploited by Hackers to Deploy Ransomware
Hackers Steal Browser Cookies to Hijack High-Profile YouTube Accounts