Researchers have discovered a backdoor payload WinorDLL64, which can acquire extensive system information, manipulate files, and execute additional commands. They attribute it to the North Korea-aligned advanced persistent threat (APT) group Lazarus.
WinorDLL64 communicates over a connection already established by the Wslink loader, and the initial Wslink compromise vector has yet to be identified.
Although no data had suggested, Wslink was a tool from a known threat actor, an extensive analysis of the payload has led researchers at ESET to attribute WinorDLL64 to the Lazarus APT group with low confidence based on the targeted region and overlap in both behavior and code with known Lazarus samples.
Also known as HIDDEN COBRA, the Lazarus group has been active since 2009. This group has been responsible for high-profile incidents, including the WannaCry outbreak, tens-of-millions-of-dollar cyber heist, and the Sony Pictures Entertainment hack.
Relationship between Lazarus and WinorDLL64
ESET researchers discovered overlaps in behavior and code with Lazarus samples from Operation GhostSecret and the Bankshot implant described by McAfee.
Their analysis used the FE887FCAB66D7D7F79F05E0266C0649F0114BA7C sample from GhostSecret to compare against WinorDLL64 (1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257F) unless specified otherwise.
According to ESET researchers, the Lazarus APT group is systematically organized, well-prepared, and comprises several subgroups that use a large toolset.
The discovery of WinorDLL64 highlights the sophistication of their operations. It emphasizes the need for organizations to remain vigilant and take necessary precautions to protect their systems and networks from cyber threats.
Organizations must invest in advanced threat detection and response capabilities, keep their software and security solutions up to date, regularly backup critical data, implement best practices, and educate employees on cybersecurity hygiene to avoid such advanced threats.
Technical analysis of the sample
According to a recent report, the latest GhostSecret sample reported by McAfee dates back to February 2018. However, the first sample of Wslink was discovered in late 2018, and fellow researchers reported hits in August of the same year, which they disclosed after ESET’s publication.
This indicates that these samples were detected within a relatively short period of time.
ESET researchers also found that the PE-rich headers in the Wslink and Lazarus samples indicate the same development environment.
Projects of similar size were used in several other known Lazarus samples, such as 70DE783E5D48C6FBB576BC494BAF0634BC304FD6 and 8EC9219303953396E1CB7105CDB18ED6C568E962. This overlap was found using specific rules that cover only these Wslink and Lazarus samples, an indicator with low weight.
This report highlights the continued threat the Lazarus APT group poses and their targeting of organizations worldwide.
As a result, organizations must remain vigilant and take necessary precautions to protect their systems and networks from cyber threats.
This includes regularly updating all software and security solutions, backing up critical data, implementing best practices, and educating employees about the importance of cybersecurity hygiene.