Wslink Malware Works in the Shadow to Deliver Other Payloads

Well-developed malware is usually the product of known threat actors whose activities are closely tracked by malware researchers. However, there are some projects whose code, behavior, and infrastructure cannot be linked to existing cybercrime groups. One of these implants is the Wslink Malware, which was discovered in October 2021. The threat runs on Windows systems exclusively, and it appears to serve as a loader for secondary payloads. The majority of the Wslink Malware attacks were concentrated in Central Europe, the Middle East, and North America. The criminals appear to be going after entities operating in different industries, and there is no exact data about the infection vectors they use to deploy the Wslink Malware.

How Does the Wslink Malware Operate?

The active samples of the Wslink Malware usually achieved persistence through the use of specially crafted Windows services. All of these were configured to start automatically when Windows boots up. The implant's behavior and connections were heavily encrypted, in an attempt to conceal them from research analysts and antivirus tools.

Once the Wslink Malware payload is decrypted, it is loaded into the memory of the computer, minimizing the digital footprint it leaves on the hard drive. This makes the behavior of the implant more challenging to analyze, and has the added benefit of helping it evade anti-malware applications that are not too thorough with their scans.

So far there is no information about the secondary modules that the Wslink Malware receives and executes. However, judging by its ability to directly load them into the system's memory, it is likely that its operators are planning to use in combination with other high-profile implants. The good news is that despite of Wslink Malware's advanced encryption and AV evasion techniques, it is still easy to protect yourself from it by using up-to-date antivirus software.

By Ruik
November 4, 2021
November 4, 2021