IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers could use new Wslink malware in highly targeted cyber attacks

Malware acts as a server, but its origins baffle boffins

Security researchers have discovered a new malware strain that acts as a server but doesn’t appear to be similar to other malware hackers use.

The malware, dubbed Wslink, has only been seen a few times over the last two years with detections in Central Europe, North America, and the Middle East, according to researchers at Eset. It was named Wslink after one of its dynamic link libraries (DLLs), and researchers believe hackers are using it in highly targeted campaigns because the malware has been detected so few times.

The malware is distinctive because it runs as a server and executes received modules in memory. Researchers said the initial compromise vector is not known. They also note that most of the samples are packed with MPRESS, a free high-performance packer, and some parts of the code are virtualized.

“Unfortunately, so far we have been unable to obtain any of the modules it is supposed to receive. There are no code, functionality, or operational similarities that suggest this is likely to be a tool from a known threat actor group,” said ESET researcher Vladislav Hrčka.

The new malware runs as a service on infected machines and listens via a computer’s ports to accept connections to those ports. Accepting a connection is followed by an RSA handshake with a hardcoded 2,048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode. The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption, according to researchers.

“Interestingly, the most recently received encrypted module with its signature is stored globally, making it available to all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded matches the previous one,” said Hrčka.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

He added that the malware is a simple yet remarkable loader that runs as a server and executes received modules in memory, unlike those usually seen.

“Interestingly, the modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data,” said Hrčka.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Best security systems for business
cyber security

Best security systems for business

4 Oct 2022
Frontpoint review
cyber security

Frontpoint review

4 Oct 2022
Vivint review
cyber security

Vivint review

4 Oct 2022
Verisure review
cyber security

Verisure review

4 Oct 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022