Wslink Malware

A previously unknown loader malware was detected by researchers. According to their findings, the threat named Wslink malware has no connections with any of the established cybercriminal groups. Indeed, there were no meaningful overlaps in code, functionality, or operational characteristics. So far, the threat has been deployed in a limited number of attacks with the victims being located in Central Europe, North America and the Middle East.

Wslink Details

As a whole, the loader is not overly complex or sophisticated. However, it does feature a fairly unique capability of acting as a server. It runs as a service on the compromised systems and then listens on all network interfaces on a specified port continuously. The malware establishes a connection and uses a robust encryption system to safeguard the exchanged data.

Wslink will then receive the next-stage corrupted modules, which it executes into memory. The incoming modules reuse much of the functions already present in the loader, such as the ones responsible for communication, keys and sockets. This technique allows the threatening implants to avoid the need to establish new outbound connections.

Conclusion

Despite its relative simplicity, the Wslink Malware is an effective loader that can achieve the harmful tasks it was created for. The lack of similarities between the threat and the malware tools of the currently known APT (Advanced Persistent Threat) groups could point towards the existence of an as-of-yet unknown threat actor.