Lazarus Group Likely Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data

2023-02-23 11:47

A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal.

The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine.

"The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions," ESET researcher Vladislav Hr?ka said.

ESET said the payload was uploaded to the VirusTotal malware database from South Korea, where some of the victims are located, adding credence to the Lazarus involvement.

The findings are once again demonstrative of the vast arsenal of hacking tools employed by the Lazarus Group to infiltrate its targets.

"Wslink's payload is dedicated to providing means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged later for lateral movement," ESET said.

News URL

https://thehackernews.com/2023/02/lazarus-group-using-new-winordll64.html

#backdoor #lazarusgroup