ESET researchers analyzed Wslink and its WinorDLL64 payload, a backdoor that loads in-memory modules and communicates over an existing Wslink connection. The backdoor collects extensive system information, manipulates files, and executes commands, with Lazarus attribution noted as low confidence based on region and code/behavior overlaps. #WinorDLL64 #Wslink #Lazarus #GhostSecret #SonyPictures
Keypoints
- WinorDLL64 is a backdoor payload for the Wslink loader, designed for in-memory module loading and extensive system information gathering.
- Wslink functions as a Windows loader/server that loads payloads and communicates over a pre-established connection; its initial compromise vector remains unidentified.
- ESET attributes WinorDLL64 to Lazarus with low confidence due to targeted regions and overlap with known Lazarus samples.
- There are notable overlaps in both behavior and code between WinorDLL64 and GhostSecret, including similar data-gathering, file operations, and process-related actions.
- The payload utilizes a TLS-enabled communication structure via the loader, enabling encrypted command and data exchange.
- The analysis details a rich set of commands (new, modified, old) that control actions such as PowerShell execution, file operations, and session management.
MITRE Techniques
- [T1587.001] Develop Capabilities: Malware – “WinorDLL64 is a custom tool.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – “WinorDLL64 can execute arbitrary PowerShell commands.”
- [T1106] Native API – “WinorDLL64 can execute further processes using the CreateProcessW and CreateProcessAsUserW APIs.”
- [T1134.002] Access Token Manipulation: Create Process with Token – “WinorDLL64 can call APIs WTSQueryUserToken and CreateProcessAsUserW to create a process under an impersonated user.”
- [T1070.004] Indicator Removal: File Deletion – “WinorDLL64 can securely remove arbitrary files.”
- [T1087.001] Account Discovery: Local Account – “WinorDLL64 can enumerate sessions and list associated user, and client names, among other details.”
- [T1087.002] Account Discovery: Domain Account – “WinorDLL64 can enumerate sessions and list associated domain names –among other details.”
- [T1083] File and Directory Discovery – “WinorDLL64 can obtain file and directory listings.”
- [T1135] Network Share Discovery – “WinorDLL64 can discover shared network drives.”
- [T1057] Process Discovery – “WinorDLL64 can collect information about running processes.”
- [T1012] Query Registry – “WinorDLL64 can query the Windows registry to gather system information.”
- [T1082] System Information Discovery – “WinorDLL64 can obtain information such as computer name, OS and latest service pack version, processor architecture, processor name, and amount of space on fixed drives.”
- [T1614] System Location Discovery – “WinorDLL64 can obtain the victim’s default country name using the GetLocaleInfoW API.”
- [T1614.001] System Location Discovery: System Language Discovery – “WinorDLL64 can obtain the victim’s default language using the GetLocaleInfoW API.”
- [T1016] System Network Configuration Discovery – “WinorDLL64 can enumerate network adapter information.”
- [T1049] System Network Connections Discovery – “WinorDLL64 can collect a list of listening ports.”
- [T1033] System Owner/User Discovery – “WinorDLL64 can enumerate sessions and list associated user, domain, and client names –among other details.”
- [T1560.002] Archive Collected Data: Archive via Library – “WinorDLL64 can compress and exfiltrate directories using the quicklz library.”
- [T1005] Data from Local System – “WinorDLL64 can collect data on the victim’s device.”
- [T1531] Account Access Removal – “WinorDLL64 can disconnect a logged-on user from specified sessions.”
Indicators of Compromise
- [SHA-1] context – 1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257F
- [File Name] context – WinorDLL64.dll, WinorLoaderDLL64.dll
Read more: https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/