Learn can WinorDLL64 be Lazarus Group Backdoor? Researchers have recently uncovered a backdoor associated with Wslink, an exploit tool commonly used by North Korea-affiliated Lazarus Group. Their investigation has provided further evidence of its involvement.
The payload, named WinorDLL64, allows for file exfiltration, overwriting and removing; execution of commands; and acquisition of extensive system information. It communicates via TCP connection established by the Wslink loader.
Detection
Lazarus Syndrome is a biological phenomenon where organisms appear in the fossil record after being presumed extinct. It also refers to a medical condition in which someone who was believed dead begins to circulate blood. Lazarus Syndrome is sometimes used in science fiction and horror literature as an allegory for supernatural powers that can bring the dead back to life.
Lazarus is the name of a parable found in Luke 16:19-31 of the Bible, depicting him as an elderly beggar who has no one to help him during times of need, yet who will be highly rewarded in the next world due to his patient submission to God. It serves as an analogy to Luke’s parable of the Rich Fool (Luke 12:16-21), which illustrates how wealth may be wisely used but may lead to financial ruin.
If you suspect your computer might have WinorDLL64, we strongly suggest scanning it with a reliable antivirus program such as SpyHunter 5. Doing so can prevent any serious system problems caused by this malware. However, be wary if you decide to remove the folder itself; it has been known to cause memory problems in some users.
Analysis
Backdoors are an integral component of many malware arsenals, often included with other applications that offer extensive functionality. Emotet was one such example; it allowed remote attackers to remotely control a victim’s Windows system through a backdoor attached to malicious Microsoft Word documents.
WinorDLL64 is a backdoor from the Lazarus arsenal that grants cybercriminals access to infected computers by altering or replacing existing files on them. It has several uses, such as encrypting data stored on the host machine, stopping normal programs from functioning, and generating ransom notes in order to extract money from victims.
Windows x64 systems use the WOW64 subsystem to translate calls from 32-bit applications and redirect requests to appropriate folders. In addition, this subsystem performs other tasks such as file and registry redirection and key reflection.
One of the primary difficulties malware authors encounter when working with the WOW64 interface is how to read, write and query virtual memory without corrupting it. This task proves difficult as APIs must be programmed so that callback stubs are mapped correctly to bitness.
Thankfully, ntdll provides several exports that can help address this problem. These include NtWow64ReadVirtualMemory64, NtWow64WriteVirtualMemory64 and NtWow64QueryInformationProcess64.
However, these APIs have some shortcomings and it can be a tedious task to trace all calls made against them. Furthermore, implementations of these APIs must be written using Java Integrated Testing (JIT), which guarantees adequate performance when dealing with large numbers of transactions.
Though this interface presents challenges, it is an essential aspect of new Windows systems. It helps keep files and registry settings consistent between 32-bit and 64-bit applications by placing them in separate folders. A file redirection mechanism ensures requests from 32-bit applications to open files in C:Program Files or C:WINDOWSSYSTEM32 are redirected to their correct location; additionally, key reflection ensures consistency across these applications’ registry settings.
Conclusions
WinorDLL64 is a comprehensive backdoor implant capable of running PowerShell commands, listing active sessions, enumerating drives and compressing directories, securely removing files and gathering extensive system information, it bears several peculiar characteristics which suggest it could be one of many tools in the arsenal of North Korean-aligned APT Lazarus group – responsible for several high-profile attacks.
WinorDLL64’s most remarkable trait is its remarkable invulnerability to detection. To accomplish this feat, it uses an advanced multi-layered virtual machine obfuscator – making it one of the only malwares with such a strategy. For scientific experimentation, this obfuscator has now been deployed on several targets across Central Europe, North America and the Middle East as a valuable ally in combatting Lazarus and other malware types. With various configuration options available and instant deployment available at any time, WinorDLL64 proves to be quite useful in combatting Lazarus and others alike.
