Share this page!

ESET research Profile picture
Twitter logo
Oct 27, 2021 7 tweets 3 min read
#ESETresearch has discovered a unique and undescribed #loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. We have named this new malware #Wslink after one of its DLLs. 1/7 @HrckaVladislav welivesecurity.com/2021/10/27/wsl…
The initial compromise vector is not known, and we have seen only a few hits in our telemetry in the past two years, with detections in Central Europe, North America, and the Middle East. 2/7
There are no similarities that suggest this is likely to be a tool from a known threat actor group. Wslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry value of the service’s Parameters key. 3/7 Image
Accepting a connection is followed by an RSA handshake with a hardcoded public key to securely exchange both the key and IV to be used for AES. The encrypted module is subsequently received with a unique identifier and an additional key for its decryption. 4/7
The decrypted module is loaded into memory using the MemoryModule library and executed. The functions for communication, socket, key and IV are used as parameters, enabling the module to exchange messages over the already established connection. 5/7 Image
We have implemented our own version of a Wslink client, which might be of interest to beginners in malware analysis as it shows how one can reuse and interact with the loader’s existing functions. It was initially made to experiment with detection methods. 6/7
The full source code for the client is available in our WslinkClient GitHub repository github.com/eset/wslink-cl…. 7/7

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET research Profile picture
Mar 28
#ESETresearch is offering you a #behindthescenes look at the diligent work required to see through the
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
@HrckaVladislav
welivesecurity.com/2022/03/28/und…
Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5 Image
We also described the code we developed to facilitate our research. It is provided to the community
@github 3/5
github.com/eset/wslink-vm…
Read 5 tweets
ESET research Profile picture
Mar 14
#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine 🇺🇦. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7
This new malware erases user data and partition information from attached drives. #ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations. 2/7
CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed. 3/7
Read 7 tweets
ESET research Profile picture
Feb 23
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months. 2/n
The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3/n Image
Read 7 tweets
ESET research Profile picture
Feb 22
In T3 2021, #ESETtelemetry saw a decline in all detections of monitored #macOS threats by 5.9%, compared to T2. The biggest drop was seen towards the end of December 2021, probably attributed to various festivities around the world. 🎅🕎 #ESETresearch 1/4
The decline was visible in nearly all monitored categories – Potentially Unwanted Applications (-22.5%), Adware (-10.6%) and trojans (-6.2%). Only Potentially Unsafe Applications saw a negligible uptick in T3. 2/4
While overall lower detection numbers could be seen as something positive, more than 36% of all macOS threats ESET detected in T3 were trojans and overall macOS Trojan detections rose by 126% from 2020 to 2021. 3/4
Read 4 tweets
ESET research Profile picture
Jan 18
#ESETresearch investigated Donot Team’s (also known as APT-C-35 and SectorE02) #cyberespionage campaigns targeting military organizations, governments, Ministries of Foreign Affairs, and embassies of countries in South Asia. welivesecurity.com/2022/01/18/don… 1/5
A recent report by #Amnesty International links the group’s malware to an Indian cybersecurity company that be selling the spyware to entities in the region. 2/5
ESET’s investigation spans from September 2020 to October 2021 and details variants of the yty malware framework used to target entities in Bangladesh 🇧🇩, Sri-Lanka 🇱🇰, Pakistan 🇵🇰 and Nepal 🇳🇵. But also embassies in the Middle East, Europe, North and South America. 3/5
Read 5 tweets
ESET research Profile picture
Jan 17
The #WhisperGate malware discovered by Microsoft contains MSIL stub commonly used by commodity e-crime malware. We observed samples using the same stub that drop different malware families such as Remcos RAT, FormBook and others. #ESETresearch 1/5
We believe that attackers used FUD crypting service from darkweb to make #WhisperGate malware undetected. This service has been abusing cloud providers like GitHub, Bitbucket, Discord to store its payload in encrypted form. 2/5
Automatic detection MSIL/TrojanDownloader.Agent_AGen.FP was made 4 days prior to the attack in #Ukraine 🇺🇦 based on samples with similar MSIL stub used in an unrelated campaign. ESET solutions successfully detected stage2 malware but stage1 was not observed in ESET telemetry 3/5
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ESETresearch has new unrolls!

Check out other threads from @ESETresearch!

Read all threads by @ESETresearch

:(