“Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory,” says ESET researcher Vladislav Hrčka, who discovered Wslink. “We have named this new malware Wslink after one of its DLLs,” he adds.
There are no code, functionality or operational similarities that suggest this is likely to be a tool from a known threat actor group. Additionally, its modules reuse the loader’s functions for communication, keys, and sockets; hence they do not have to initiate new outbound connections. Wslink also features a well-developed cryptographic protocol to protect the exchanged data.
“We have implemented our own version of a Wslink client, which might be of interest to beginners in malware analysis as it shows how one can reuse and interact with the loader’s exiting functions. Our analysis also serves as an informative resource documenting this threat for cybersecurity defenders,” explains Hrčka. The full source code for the client is available in our WslinkClient GitHub repository.