The focused area, and overlap in conduct and code, counsel the instrument is utilized by the notorious North Korea-aligned APT group
ESET researchers have found one of many payloads of the Wslink downloader that we uncovered again in 2021. We named this payload WinorDLL64 based mostly on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Home windows binaries that, not like different such loaders, runs as a server and executes obtained modules in reminiscence. Because the wording suggests, a loader serves as a instrument to load a payload, or the precise malware, onto the already compromised system. The preliminary Wslink compromise vector has not been recognized.
The initially unknown Wslink payload was uploaded to VirusTotal from South Korea shortly after the publication of our blogpost, and hit one among our YARA guidelines based mostly on Wslink’s distinctive identify WinorDLL64. Concerning Wslink, ESET telemetry has seen just a few detections – in Central Europe, North America, and the Center East.
The WinorDLL64 payload serves as a backdoor that the majority notably acquires in depth system info, offers means for file manipulation, akin to exfiltrating, overwriting, and eradicating recordsdata, and executes further instructions. Curiously, it communicates over a connection that was already established by the Wslink loader.
In 2021, we didn’t discover any knowledge that may counsel Wslink is a instrument from a recognized risk actor. Nonetheless, after an in depth evaluation of the payload, now we have attributed WinorDLL64 to the Lazarus APT group with low confidence based mostly on the focused area and an overlap in each conduct and code with recognized Lazarus samples.
Energetic since at the very least 2009, this notorious North-Korea aligned group is answerable for high-profile incidents akin to each the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and an extended historical past of disruptive assaults in opposition to South Korean public and critical infrastructure since at the very least 2011. US-CERT and the FBI name this group HIDDEN COBRA.
Primarily based on our extensive knowledge of the actions and operations of this group, we consider that Lazarus consists of a giant crew that’s systematically organized, effectively ready, and is made up of a number of subgroups that make the most of a big toolset. Final yr, we discovered a Lazarus tool that took benefit of the CVE‑2021‑21551 vulnerability to focus on an worker of an aerospace firm within the Netherlands, and a political journalist in Belgium. It was the primary recorded abuse of the vulnerability; together, the instrument and the vulnerability led to the blinding of the monitoring of all safety options on compromised machines. We additionally offered an in depth description of the structure of the virtual machine utilized in samples of Wslink.
This blogpost explains the attribution of WinorDLL64 to Lazarus and offers an evaluation of the payload.
Hyperlinks to Lazarus
We’ve got found overlaps in each conduct and code with Lazarus samples from Operation GhostSecret and the Bankshot implant described by McAfee. The outline of the implants in each GhostSecret and Bankshot articles accommodates overlaps within the performance with WinorDLL64 and we discovered some code overlap within the samples. On this blogpost we’ll solely use the FE887FCAB66D7D7F79F05E0266C0649F0114BA7C pattern from GhostSecret for comparability in opposition to WinorDLL64 (1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257F), except specified in any other case.
The next particulars summarize the supporting information for our low confidence attribution to Lazarus:
1. Victimology
- Fellow researchers from AhnLab confirmed South Korean victims of Wslink of their telemetry, which is a related indicator contemplating the standard Lazarus targets and that now we have noticed just a few hits.
Determine 1. Reported South Korean sufferer, the place mstoned7 is the researcher from Ahnlab
2. Malware
- The newest GhostSecret pattern reported by McAfee (FE887FCAB66D7D7F79F05E0266C0649F0114BA7C) is from February 2018; we noticed the primary pattern of Wslink in late 2018 and fellow researchers reported hits in August 2018, which they disclosed after our publication. Therefore, these samples had been noticed a comparatively brief time period aside.
- The PE rich headers point out that the identical improvement surroundings and initiatives of comparable dimension had been utilized in a number of different recognized Lazarus samples (e.g., 70DE783E5D48C6FBB576BC494BAF0634BC304FD6; 8EC9219303953396E1CB7105CDB18ED6C568E962). We discovered this overlap utilizing the next guidelines that cowl solely these Wslink and Lazarus samples, which is an indicator with a low weight. We examined them on VirusTotal’s retrohunt and our inside file corpus.
rich_signature.size == 80 and
pe.rich_signature.toolid(175, 30319) == 7 and
pe.rich_signature.toolid(155, 30319) == 1 and
pe.rich_signature.toolid(158, 30319) == 10 and
pe.rich_signature.toolid(170, 30319) >= 90 and
pe.rich_signature.toolid(170, 30319) <= 108
This rule will be translated to the next notation that’s extra readable and utilized by VirusTotal, the place one can see the product model and construct ID (VS2010 construct 30319), quantity and kind of supply/object recordsdata used ([LTCG C++] the place LTCG stands for Hyperlink Time Code Technology, [ASM], [ C ]), and variety of exports ([EXP]) within the rule:
[LTCG C++] VS2010 construct 30319 rely=7
[EXP] VS2010 construct 30319 rely=1
[ASM] VS2010 construct 30319 rely=10
[ C ] VS2010 construct 30319 rely in [ 90 .. 108 ]
- The GhostSecret article described “a singular data-gathering and implant-installation element that listens on port 443 for inbound management server connections” that moreover ran as a service. That is an correct description of Wslink downloader conduct, other than the port quantity, which might fluctuate based mostly on the configuration. To sum it up, regardless that the implementation is completely different, each serve the identical objective.
- The loader is virtualized by Oreans’ Code Virtualizer, which is a business protector that’s used frequently by Lazarus.
- The loader makes use of the MemoryModule library to load modules straight from reminiscence. The library will not be generally utilized by malware, however it’s fairly common amongst North Korea-aligned teams akin to Lazarus and Kimsuky.
- Overlap within the code between WinorDLL64 and GhostSecret that we discovered throughout our evaluation. The outcomes and the importance in attribution are listed in Desk 1.
Desk 1. Similarities between WinorDLL64 and GhostSecret and their significance in attributing each to the identical risk actor
| Different similarities between WinorDLL64 and GhostSecret | Impression |
|---|---|
| Code overlap in code accountable to get processor structure | Low |
| Code overlap in present listing manipulation | Low |
| Code overlap in getting the method checklist | Low |
| Code overlap in file sending | Low |
| Conduct overlap in itemizing processes | Low |
| Conduct overlap in present listing manipulation | Low |
| Conduct overlap in file and listing itemizing | Low |
| Conduct overlap in itemizing volumes | Low |
| Conduct overlap in studying/writing recordsdata | Low |
| Conduct overlap in creating processes | Low |
| Appreciable conduct overlap in safe removing of recordsdata | Low |
| Appreciable conduct overlap in termination of processes | Low |
| Appreciable conduct overlap in gathering system info | Low |
Code overlap within the file sending performance is highlighted in Determine 2 and Determine 3.
Determine 2. GhostSecret sending a file
Determine 3. Wslink sending a file
Technical evaluation
WinorDLL64 serves as a backdoor that the majority notably acquires in depth system info, offers means for file manipulation, and executes further instructions. Curiously, it communicates over a TCP connection that was already established by its loader and makes use of a number of the loader’s capabilities.
Determine 4. Visualization of Wslink’s communication
The backdoor is a DLL with a single unnamed export that accepts one parameter – a construction for communication that was already described in our previous blogpost. The construction accommodates a TLS-context – socket, key, IV – and callbacks for sending and receiving messages encrypted with 256-bit AES-CBC that allow WinorDLL64 to change knowledge securely with the operator over an already established connection.
The next information lead us to consider with excessive confidence that the library is certainly a part of Wslink:
- The distinctive construction is used in every single place within the anticipated method, e.g., the TLS-context and different significant parameters are equipped within the anticipated order to the right callbacks.
- The identify of the DLL is WinorDLL64.dll and Wslink’s identify was WinorLoaderDLL64.dll.
WinorDLL64 accepts a number of instructions. Determine 5 shows the loop that receives and handles instructions. Every command is sure to a singular ID and accepts a configuration that accommodates further parameters.
Determine 5. The primary a part of the backdoor’s command-receiving loop
The command checklist, with our labels, is in Determine 6.
Determine 6. The command checklist
Desk 2 accommodates a abstract of the WinorDLL64 instructions, the place modified, and outdated classes discuss with the connection to the beforehand documented GhostSecret performance. We spotlight solely vital modifications within the modified class.
Desk 2. Overview of backdoor instructions
| Class | Command ID | Performance | Description |
|---|---|---|---|
| New | 0x03 | Execute a PowerShell command | WinorDLL64 instructs the PowerShell interpreter to run unrestricted and to learn instructions from normal enter. Afterwards, the backdoor passes the required command to the interpreter and sends the output to the operator. |
| 0x09 | Compress and obtain a listing | WinorDLL64 recursively iterates over a specified listing. The content material of every file and listing is compressed individually and written to a brief file that’s afterwards despatched to the operator after which eliminated securely. | |
| 0x0D | Disconnect a session | Disconnects a specified logged-on consumer from the consumer’s Distant Desktop Companies session. The command also can carry out completely different performance based mostly on the parameter. | |
| 0x0D | Record classes | Acquires varied particulars about all classes on the sufferer’s machine and sends them to the operator. The command also can carry out completely different performance based mostly on the parameter. | |
| 0x0E | Measure connection time | Makes use of the Home windows API GetTickCount to measure the time required to connect with a specified host. | |
| Modified | 0x01 | Get system data | Acquires complete particulars concerning the sufferer’s system and sends them to the operator. |
| 0x0A | Take away recordsdata securely | Overwrites specified recordsdata with a block of random knowledge, renames every file to a random identify, and at last securely removes them one after the other. | |
| 0x0C | Kill processes | Terminates all processes whose names match a equipped sample and/or with a selected PID. | |
| Outdated | 0x02/0x0B | Create a course of | Creates a course of both as the present or specified consumer and optionally sends its output to the operator. |
| 0x05 | Set/Get present listing | Makes an attempt to set and subsequently purchase the trail of the present working listing. | |
| 0x06 | Record volumes | Iterates over drives from C: to Z: and acquires the drive kind and quantity identify. The command also can carry out completely different performance based mostly on the parameter. | |
| 0x06 | Record recordsdata in a listing | Iterates over recordsdata in specified listing and acquires info akin to names, attributes, and so forth. The command also can carry out completely different performance based mostly on the parameter. | |
| 0x07 | Write to a file | Downloads and appends the acknowledged quantity of information to specified file. | |
| 0x08 | Learn from a file | The required file is learn and despatched to the operator. | |
| 0x0C | Record processes | Acquires particulars about all operating processes on the sufferer’s machine and moreover sends ID of the present course of. |
Conclusion
Wslink’s payload is devoted to offering means for file manipulation, execution of additional code, and acquiring in depth details about the underlying system that presumably will be leveraged later for lateral motion, attributable to particular curiosity in community classes. The Wslink loader listens on a port specified within the configuration and might serve further connecting shoppers, and even load varied payloads.
WinorDLL64 accommodates an overlap within the improvement surroundings, conduct, and code with a number of Lazarus samples, which signifies that it could be a instrument from the huge arsenal of this North-Korea aligned APT group.
IoCs
| SHA-1 | ESET detection identify | Description |
|---|---|---|
| 1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257F | Win64/Wslink.A | Reminiscence dump of found Wslink payload WinorDll64. |
MITRE ATT&CK strategies
This desk was constructed utilizing version 12 of the ATT&CK framework. We don’t point out strategies from the loader once more, solely the payload.
| Tactic | ID | Identify | Description |
|---|---|---|---|
| Useful resource Improvement | T1587.001 | Develop Capabilities: Malware | WinorDLL64 is a customized instrument. |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | WinorDLL64 can execute arbitrary PowerShell instructions. |
| T1106 | Native API | WinorDLL64 can execute additional processes utilizing the CreateProcessW and CreateProcessAsUserW APIs. | |
| Protection Evasion | T1134.002 | Entry Token Manipulation: Create Course of with Token | WinorDLL64 can name APIs WTSQueryUserToken and CreateProcessAsUserW to create a course of beneath an impersonated consumer. |
| T1070.004 | Indicator Removing: File Deletion | WinorDLL64 can securely take away arbitrary recordsdata. | |
| Discovery | T1087.001 | Account Discovery: Native Account | WinorDLL64 can enumerate classes and checklist related consumer, and consumer names, amongst different particulars. |
| T1087.002 | Account Discovery: Area Account | WinorDLL64 can enumerate classes and checklist related domains –amongst different particulars. | |
| T1083 | File and Listing Discovery | WinorDLL64 can receive file and listing listings. | |
| T1135 | Community Share Discovery | WinorDLL64 can uncover shared community drives. | |
| T1057 | Course of Discovery | WinorDLL64 can gather details about operating processes. | |
| T1012 | Question Registry | WinorDLL64 can question the Home windows registry to assemble system info. | |
| T1082 | System Info Discovery | WinorDLL64 can receive info akin to laptop identify, OS and newest service pack model, processor structure, processor identify, and quantity of house on mounted drives. | |
| T1614 | System Location Discovery | WinorDLL64 can receive the sufferer’s default nation identify utilizing the GetLocaleInfoW API. | |
| T1614.001 | System Location Discovery: System Language Discovery | WinorDLL64 can receive the sufferer’s default language utilizing the GetLocaleInfoW API. | |
| T1016 | System Community Configuration Discovery | WinorDLL64 can enumerate community adapter info. | |
| T1049 | System Community Connections Discovery | WinorDLL64 can gather a listing of listening ports. | |
| T1033 | System Proprietor/Consumer Discovery | WinorDLL64 can enumerate classes and checklist related consumer, area, and consumer names –amongst different particulars. | |
| Assortment | T1560.002 | Archive Collected Knowledge: Archive through Library | WinorDLL64 can compress and exfiltrate directories utilizing the quicklz library. |
| T1005 | Knowledge from Native System | WinorDLL64 can gather knowledge on the sufferer’s machine. | |
| Impression | T1531 | Account Entry Removing | WinorDLL64 can disconnect a logged-on consumer from specified classes. |
