WinorDLL64 – Lazarus Group Backdoor?

July 30, 2023

Learn can WinorDLL64 be Lazarus Group Backdoor? Researchers have recently uncovered a backdoor associated with Wslink, an exploit tool commonly used by North Korea-affiliated Lazarus Group. Their investigation has provided further evidence of its involvement.

The payload, named WinorDLL64, allows for file exfiltration, overwriting and removing; execution of commands; and acquisition of extensive system information. It communicates via TCP connection established by the Wslink loader.

Detection

Lazarus Syndrome is a biological phenomenon where organisms appear in the fossil record after being presumed extinct. It also refers to a medical condition in which someone who was believed dead begins to circulate blood. Lazarus Syndrome is sometimes used in science fiction and horror literature as an allegory for supernatural powers that can bring the dead back to life.

Lazarus is the name of a parable found in Luke 16:19-31 of the Bible, depicting him as an elderly beggar who has no one to help him during times of need, yet who will be highly rewarded in the next world due to his patient submission to God. It serves as an analogy to Luke’s parable of the Rich Fool (Luke 12:16-21), which illustrates how wealth may be wisely used but may lead to financial ruin.

If you suspect your computer might have WinorDLL64, we strongly suggest scanning it with a reliable antivirus program such as SpyHunter 5. Doing so can prevent any serious system problems caused by this malware. However, be wary if you decide to remove the folder itself; it has been known to cause memory problems in some users.

Analysis

Backdoors are an integral component of many malware arsenals, often included with other applications that offer extensive functionality. Emotet was one such example; it allowed remote attackers to remotely control a victim’s Windows system through a backdoor attached to malicious Microsoft Word documents.

WinorDLL64 is a backdoor from the Lazarus arsenal that grants cybercriminals access to infected computers by altering or replacing existing files on them. It has several uses, such as encrypting data stored on the host machine, stopping normal programs from functioning, and generating ransom notes in order to extract money from victims.

Windows x64 systems use the WOW64 subsystem to translate calls from 32-bit applications and redirect requests to appropriate folders. In addition, this subsystem performs other tasks such as file and registry redirection and key reflection.

One of the primary difficulties malware authors encounter when working with the WOW64 interface is how to read, write and query virtual memory without corrupting it. This task proves difficult as APIs must be programmed so that callback stubs are mapped correctly to bitness.

Thankfully, ntdll provides several exports that can help address this problem. These include NtWow64ReadVirtualMemory64, NtWow64WriteVirtualMemory64 and NtWow64QueryInformationProcess64.

However, these APIs have some shortcomings and it can be a tedious task to trace all calls made against them. Furthermore, implementations of these APIs must be written using Java Integrated Testing (JIT), which guarantees adequate performance when dealing with large numbers of transactions.

Though this interface presents challenges, it is an essential aspect of new Windows systems. It helps keep files and registry settings consistent between 32-bit and 64-bit applications by placing them in separate folders. A file redirection mechanism ensures requests from 32-bit applications to open files in C:Program Files or C:WINDOWSSYSTEM32 are redirected to their correct location; additionally, key reflection ensures consistency across these applications’ registry settings.

Conclusions

WinorDLL64 is a comprehensive backdoor implant capable of running PowerShell commands, listing active sessions, enumerating drives and compressing directories, securely removing files and gathering extensive system information, it bears several peculiar characteristics which suggest it could be one of many tools in the arsenal of North Korean-aligned APT Lazarus group – responsible for several high-profile attacks.

WinorDLL64’s most remarkable trait is its remarkable invulnerability to detection. To accomplish this feat, it uses an advanced multi-layered virtual machine obfuscator – making it one of the only malwares with such a strategy. For scientific experimentation, this obfuscator has now been deployed on several targets across Central Europe, North America and the Middle East as a valuable ally in combatting Lazarus and other malware types. With various configuration options available and instant deployment available at any time, WinorDLL64 proves to be quite useful in combatting Lazarus and others alike.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us