Discover and read the best of Twitter Threads about #wslink
Most recents (2)
#ESETresearch is offering you a #behindthescenes look at the diligent work required to see through the
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
@HrckaVladislav
welivesecurity.com/2022/03/28/und…
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
@HrckaVladislav
welivesecurity.com/2022/03/28/und…
Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
We also described the code we developed to facilitate our research. It is provided to the community
@github 3/5
github.com/eset/wslink-vm…
@github 3/5
github.com/eset/wslink-vm…
#ESETresearch has discovered a unique and undescribed #loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. We have named this new malware #Wslink after one of its DLLs. 1/7 @HrckaVladislav welivesecurity.com/2021/10/27/wsl…
The initial compromise vector is not known, and we have seen only a few hits in our telemetry in the past two years, with detections in Central Europe, North America, and the Middle East. 2/7
There are no similarities that suggest this is likely to be a tool from a known threat actor group. Wslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry value of the service’s Parameters key. 3/7
