The backdoor will be used for espionage and data manipulation.

Malware researchers at IT security manufacturer ESET have uncovered a new dangerous malware from the notorious APT group Lazarus (Advanced Persistent Threat). The increased occurrence in South Korea, the code and the behaviour of the backdoor “WinorDLL64” suggest that it is the hacker gang allied with North Korea. However, the backdoor is also used for targeted attacks in the Middle East and Europe. ESET research facilities in the Czech Republic have recently recorded further discoveries of WinorDLL64.

The malicious code can exfiltrate, overwrite and remove files, execute commands and collect extensive information about the underlying system. WinorDLL64 is one of the components of the ominous Wslink downloader. “Wslink is a so-called loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. As the wording suggests, a loader serves as a tool to load a payload or the actual malware onto the already compromised system,” explains ESET researcher Vladislav Hrcka. “The payload can later serve for lateral movements in the attacked network, as it has a particular interest in network sessions. In doing so, Wslink listens on a port specified in the configuration and can serve additional connection clients and even load various payloads,” he adds.

https://www.welivesecurity.com/deutsch/2023/02/23/winordll64-backdoor-aus-dem-lazarus-arsenal