A previously unknown malware loader was uncovered this week. Called Wslink, the tool has been described as “simple yet remarkable,” capable of loading malicious Windows binaries. The loader has been used in attacks against Central Europe, North America, and the Middle East.
Wslink malware loader runs as a server
There is something unique in this previously undocumented loader, and it is its capability to run as a server and execute received modules in memory. According to the report compiled by ESET researchers, the initial compromise vector is also unknown. The researchers have been unable to obtain any of the modules the loader is supposed to receive. No code, functionality or operational similarities suggest that the loader has been coded by a known threat actor.
Wslink malware loader capabilities
“Wslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry value of the service’s Parameters key. The preceding component that registers the Wslink service is not known,” the report says.
Then, an RSA handshake follows with a hardcoded 2048-bit public key. Afterwards, the encrypted module is received with a unique identifier – signature and an additional key for its decryption.
“Interestingly, the most recently received encrypted module with its signature is stored globally, making it available to all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded matches the previous one,” ESET said.
An interesting discovery is that the modules reuse Wslink’s functions for communication, keys and sockets. This way, they don’t need to initiate new outbound connections. The loader also features a well-developed cryptographic protocol to safeguard the exchanged data.
Another new malware loader with the potential to become “the next big thing” in spam operations was detected by Cisco Talos. Dubbed SquirrelWaffle, the threat is currently “mal-spamming” malicious Microsoft Office documents. The end goal of the campaign is delivering the well-known Qakbot malware, as well as Cobalt Strike. These are two of the most common culprits used for targeting organizations worldwide.