APT group Lazarus also uses new backdoor against targets in Europe

February 27, 2023

The backdoor will be used for espionage and data manipulation.

Malware researchers at IT security manufacturer ESET have uncovered a new dangerous malware from the notorious APT group Lazarus (Advanced Persistent Threat). The increased occurrence in South Korea, the code and the behaviour of the backdoor “WinorDLL64” suggest that it is the hacker gang allied with North Korea. However, the backdoor is also used for targeted attacks in the Middle East and Europe. ESET research facilities in the Czech Republic have recently recorded further discoveries of WinorDLL64.

The malicious code can exfiltrate, overwrite and remove files, execute commands and collect extensive information about the underlying system. WinorDLL64 is one of the components of the ominous Wslink downloader. “Wslink is a so-called loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. As the wording suggests, a loader serves as a tool to load a payload or the actual malware onto the already compromised system,” explains ESET researcher Vladislav Hrcka. “The payload can later serve for lateral movements in the attacked network, as it has a particular interest in network sessions. In doing so, Wslink listens on a port specified in the configuration and can serve additional connection clients and even load various payloads,” he adds.


Related Articles

VdS draft guideline for gluing systems for banknote neutralization

VdS draft guideline for gluing systems for banknote neutralization

VdS Schadenverhütung GmbH has released the draft of VdS 6040-1 "VdS Guidelines for Banknote Security Systems - Gluing Systems for Banknote Neutralization" for public consultation These guidelines contain requirements for gluing systems with active application of the...

Share This