Security researchers at ESET have reportedly discovered that a payload of the Wslink downloader named WinorDLL64 has been linked to a North Korean threat group known as the Lazarus Group. The group is aligned with state interests and is an advanced persistent threat group. ESET released an advisory concerning the connection, stating that Wslink is a loader for Windows binaries that runs as a server and executes received modules in memory. The advisory states that malware was uploaded to VirusTotal from South Korea. The initial Wslink compromise vector has not been identified.
The payload works as a backdoor that steals extensive system information and allows attackers to conduct file manipulation such as exfiltration, overwriting, and removing files. Wslink loader can serve other connecting clients with additional payloads, ESET says. The malware was first identified in 2021 but not immediately connected to Lazarus by security researchers. The connection comes from behavior and code with known Lazarus samples, as well as overlap in the targeted regions.
Read More: WinorDLL64 Backdoor Linked to Lazarus Group