A recent discovery by cybersecurity firm ESET has shed light on a malware known as WinorDLL64, which is believed to have been developed by North Korea-aligned APT group, Lazarus. The malware is a backdoor that enables the attacker to acquire extensive system information, manipulate files, and execute additional commands on an already compromised system. ESET researchers discovered the payload of WinorDLL64 in 2021 and named it based on its filename. It was found to be associated with a downloader called Wslink, which runs as a server and executes received modules in memory. The Wslink compromise vector has not yet been identified, but the payload was uploaded to VirusTotal from South Korea shortly after ESET’s original blog post, suggesting the tool is being used in that region.
According to ESET telemetry, Wslink has only been detected in a few instances in Central Europe, North America, and the Middle East. The backdoor communicates over a connection that is already established by the Wslink loader, and its main functionality includes exfiltrating, overwriting, and removing files. Upon an extensive analysis of the payload, ESET attributed the tool to the Lazarus APT group with low confidence based on the targeted region and an overlap in both behavior and code with known Lazarus samples. Lazarus, which is responsible for high-profile incidents such as the Sony Pictures Entertainment hack, 2016 cyberheists, and the WannaCryptor outbreak in 2017, is a North-Korea aligned group known for its history of disruptive attacks against South Korean public and critical infrastructure since at least 2011.
ESET found overlap between WinorDLL64 and Lazarus samples from Operation GhostSecret and the Bankshot implant described by McAfee. The implants in both GhostSecret and Bankshot have similar functionality with WinorDLL64 and there is also some code overlap in the samples. Victimology was another indicator that helped ESET attribute WinorDLL64 to Lazarus. Fellow researchers from AhnLab confirmed South Korean victims of Wslink on their telemetry, which is a relevant indicator given the traditional Lazarus targets and the few detections of Wslink so far.
ESET’s analysis of WinorDLL64 showed that the malware is a DLL with a single unnamed export that accepts one parameter – a structure for communication that was previously described in their blog post. The structure contains a TLS-context – socket, key, IV – and callbacks for sending and receiving messages encrypted with 256-bit AES-CBC that enable WinorDLL64 to exchange data securely with the operator over an already established connection. The backdoor accepts several commands, including executing a PowerShell command, which instructs the interpreter to run unrestricted and to read commands from standard input, and a command for deleting files that are not visible to the operating system. The backdoor also collects extensive system information and can modify and manipulate files at will.
In summary, the discovery of WinorDLL64 and its association with the Wslink downloader has provided insight into Lazarus APT group’s advanced capabilities in acquiring system information, manipulating files, and communicating securely with operators. The targeted region and overlap in behavior and code suggest that the tool is used by Lazarus, a North-Korea aligned group with a long history of disruptive attacks against South Korean public and critical infrastructure. Cybersecurity experts warn that companies and individuals in the region should remain vigilant to the threat of Lazarus and their advanced cyber tools.