A type of installer, this type of malware installs other executables on affected machines; being used as a malicious piece of code, a program. Malware directly targets memory. ESET has only seen a handful of Wslink instances in its telemetry over the past two years. The detected specimens are located in Central Europe, North America and the Middle East.
ESET researcher Vladislav Hrčka, who discovered Wslink, said: “Wslink is a simple but remarkable installer. Unlike other loaders we usually come across, it runs as a server and executes imported modules in memory. We named this new malware Wslink because of one of its DLLs. ”
There is no code, function or operational similarity to this tool being from a known threat actor group. It also reuses loader functions for modules communication, switches and sokedollarser; so they don’t need to initiate new outgoing connections. Wslink also has a well-developed cryptographic protocol to protect the intercepted data.
Hrčka explains: “We have created our own version of the Wslink client, which we think might be of interest to those new to malware analysis. This client demonstrates how the output functions of the loader can be reused and interacted with. In addition, our analysis is an informative resource for cybersecurity guards about these threats. ” The full source code for the client is available on our WslinkClient GitHub repository.