WinorDLL64 Backdoor Linked to Lazarus Group

Written by

A payload of the Wslink downloader named WinorDLL64 has been linked to the North Korea-aligned advanced persistent threat (APT) known as Lazarus Group.

The connection was made by cybersecurity researchers at Eset, who published an article about it earlier today.

"Wslink [...] is a loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory," wrote Eset malware analyst Vladislav Hrčka.

According to the advisory, the initial Wslink compromise vector was not identified, but the malware was uploaded to VirusTotal from South Korea following the publication of the company advisory.

"The WinorDLL64 payload serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, such as exfiltrating, overwriting, and removing files, and executes additional commands," wrote Hrčka.

Further, the Wslink loader listens on a port specified in the file configuration. It can reportedly serve other connecting clients and load additional payloads.

First seen by the Eset team in 2021, Wslink was not immediately associated by the security experts with Lazarus. The connection was made only recently due to an overlap in the targeted region, behavior and code with known Lazarus samples. In particular, the overlaps were observed with two Lazarus-attributed campaigns: operation GhostSecret and the Bankshot implant.

"WinorDLL64 contains an overlap in the development environment, behavior, and code with several Lazarus samples, which indicates that it might be a tool from the vast arsenal of this North-Korea-aligned APT group," Hrčka explained.

More information about the samples analyzed by Eset, as well as associated indicators of compromise (IoT), are provided in the company's advisory.

The technical write-up comes weeks after the US Federal Bureau of Investigation (FBI) linked Lazarus Group to the $100m theft from cryptocurrency firm Harmony. More recently, the APT was observed committing an "operational security mistake" while targeting research, medical and energy sector firms.

What’s hot on Infosecurity Magazine?