Researchers discovered Wslink, a previously undescribed loader for Windows binaries that, unlike similar loaders, runs as a server and executes modules in memory. The name Wslink comes from one of its DLLs.

Most of the samples analyzed are packed with MPRESS and some parts of the code are virtualized. The researchers were not able to obtain any of the modules the loader can receive by the C2.

Wslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry value of the service’s Parameters key. The preceding component that registers the Wslink service is not known.

Advertisements

Accepting a connection is followed by an RSA handshake with a hardcoded 2048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier signature and an additional key for its decryption.

Wslink runs as a service and can accept modules in the form of encrypted portal executable (PE) files only from a specific IP address. The decrypted module is loaded into memory using the Memory Module library.

The modules reuse the loader’s functions for communication, keys and sockets, this implies that the malware don’t have to initiate new outbound connections.

Advertisements

The researchers concluded the code could not be used for malicious purposes because the current release still requires a significant amount of work to be weaponized.

Indicators of Compromise

  • 840BBD3475B189DBB65F2CD4E6C060FE3E071D97