WinorDLL64: A backdoor from the vast Lazarus arsenal?

The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group

ESET researchers have discovered one of the payloads of the Wslink downloader that we uncovered back in 2021. We named this payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. As the wording suggests, a loader serves as a tool to load a payload, or the actual malware, onto the already compromised system. The initial Wslink compromise vector has not been identified.

The initially unknown Wslink payload was uploaded to VirusTotal from South Korea shortly after the publication of our blogpost, and hit one of our YARA rules based on Wslink’s unique name WinorDLL64. Regarding Wslink, ESET telemetry has seen only a few detections – in Central Europe, North America, and the Middle East.

The WinorDLL64 payload serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, such as exfiltrating, overwriting, and removing files, and executes additional commands. Interestingly, it communicates over a connection that was already established by the Wslink loader.

In 2021, we did not find any data that would suggest Wslink is a tool from a known threat actor. However, after an extensive analysis of the payload, we have attributed WinorDLL64 to the Lazarus APT group with low confidence based on the targeted region and an overlap in both behavior and code with known Lazarus samples.

Active since at least 2009, this infamous North-Korea aligned group is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA.

Based on our extensive knowledge of the activities and operations of this group, we believe that Lazarus consists of a large team that is systematically organized, well prepared, and is made up of several subgroups that utilize a large toolset. Last year, we discovered a Lazarus tool that took advantage of the CVE‑2021‑21551 vulnerability to target an employee of an aerospace company in the Netherlands, and a political journalist in Belgium. It was the first recorded abuse of the vulnerability; in combination, the tool and the vulnerability led to the blinding of the monitoring of all security solutions on compromised machines. We also provided an extensive description of the structure of the virtual machine used in samples of Wslink.

This blogpost explains the attribution of WinorDLL64 to Lazarus and provides an analysis of the payload.

Links to Lazarus

We have discovered overlaps in both behavior and code with Lazarus samples from Operation GhostSecret and the Bankshot implant described by McAfee. The description of the implants in both GhostSecret and Bankshot articles contains overlaps in the functionality with WinorDLL64 and we found some code overlap in the samples. In this blogpost we will only use the FE887FCAB66D7D7F79F05E0266C0649F0114BA7C sample from GhostSecret for comparison against WinorDLL64 (1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257F), unless specified otherwise.

The following details summarize the supporting facts for our low confidence attribution to Lazarus:

1. Victimology

Fellow researchers from AhnLab confirmed South Korean victims of Wslink in their telemetry, which is a relevant indicator considering the traditional Lazarus targets and that we have observed only a few hits.

Figure 1. Reported South Korean victim, where mstoned7 is the researcher from Ahnlab

2. Malware

The latest GhostSecret sample reported by McAfee (FE887FCAB66D7D7F79F05E0266C0649F0114BA7C) is from February 2018; we spotted the first sample of Wslink in late 2018 and fellow researchers reported hits in August 2018, which they disclosed after our publication. Hence, these samples were spotted a relatively short period of time apart.
The PE rich headers indicate that the same development environment and projects of similar size were used in several other known Lazarus samples (e.g., 70DE783E5D48C6FBB576BC494BAF0634BC304FD6; 8EC9219303953396E1CB7105CDB18ED6C568E962). We found this overlap using the following rules that cover only these Wslink and Lazarus samples, which is an indicator with a low weight. We tested them on VirusTotal’s retrohunt and our internal file corpus.

rich_signature.length == 80 andpe.rich_signature.toolid(175, 30319) == 7 andpe.rich_signature.toolid(155, 30319) == 1 andpe.rich_signature.toolid(158, 30319) == 10 andpe.rich_signature.toolid(170, 30319) >= 90 andpe.rich_signature.toolid(170, 30319) <= 108

This rule can be translated to the following notation that is more readable and used by VirusTotal, where one can see the product version and build ID (VS2010 build 30319), number and type of source/object files used ([LTCG C++] where LTCG stands for Link Time Code Generation, [ASM], [ C ]), and number of exports ([EXP]) in the rule:

[LTCG C++] VS2010 build 30319 count=7[EXP] VS2010 build 30319 count=1[ASM] VS2010 build 30319 count=10[ C ] VS2010 build 30319 count in [ 90 .. 108 ]

The GhostSecret article described “a unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections” that additionally ran as a service. This is an accurate description of Wslink downloader behavior, apart from the port number, which can vary based on the configuration. To sum it up, even though the implementation is different, both serve the same purpose.
The loader is virtualized by Oreans’ Code Virtualizer, which is a commercial protector that is used frequently by Lazarus.
The loader uses the MemoryModule library to load modules directly from memory. The library is not commonly used by malware, but it is quite popular among North Korea-aligned groups such as Lazarus and Kimsuky.
Overlap in the code between WinorDLL64 and GhostSecret that we found during our analysis. The results and the significance in attribution are listed in Table 1.

Table 1. Similarities between WinorDLL64 and GhostSecret and their significance in attributing both to the same threat actor

Other similarities between WinorDLL64 and GhostSecretImpact
Code overlap in code responsible to get processor architecture Low
Code overlap in current directory manipulation Low
Code overlap in getting the process list Low
Code overlap in file sending Low
Behavior overlap in listing processesLow
Behavior overlap in current directory manipulationLow
Behavior overlap in file and directory listingLow
Behavior overlap in listing volumesLow
Behavior overlap in reading/writing filesLow
Behavior overlap in creating processesLow
Considerable behavior overlap in secure removal of filesLow
Considerable behavior overlap in termination of processesLow
Considerable behavior overlap in collecting system informationLow

Code overlap in the file sending functionality is highlighted in Figure 2 and Figure 3.

Figure 2. GhostSecret sending a file

Figure 3. Wslink sending a file

Technical analysis

WinorDLL64 serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, and executes additional commands. Interestingly, it communicates over a TCP connection that was already established by its loader and uses some of the loader’s functions.

Figure 4. Visualization of Wslink’s communication

The backdoor is a DLL with a single unnamed export that accepts one parameter – a structure for communication that was already described in our previous blogpost. The structure contains a TLS-context – socket, key, IV – and callbacks for sending and receiving messages encrypted with 256-bit AES-CBC that enable WinorDLL64 to exchange data securely with the operator over an already established connection.

The following facts lead us to believe with high confidence that the library is indeed part of Wslink:

The unique structure is used everywhere in the expected way, e.g., the TLS-context and other meaningful parameters are supplied in the anticipated order to the correct callbacks.
The name of the DLL is WinorDLL64.dll and Wslink’s name was WinorLoaderDLL64.dll.

WinorDLL64 accepts several commands. Figure 5 displays the loop that receives and handles commands. Each command is bound to a unique ID and accepts a configuration that contains additional parameters.

Figure 5. The main part of the backdoor’s command-receiving loop

The command list, with our labels, is in Figure 6.

Figure 6. The command list

Table 2 contains a summary of the WinorDLL64 commands, where modified, and old categories refer to the relationship to the previously documented GhostSecret functionality. We highlight only significant changes in the modified category.

Table 2. Overview of backdoor commands

CategoryCommand IDFunctionalityDescription
New0x03Execute a PowerShell commandWinorDLL64 instructs the PowerShell interpreter to run unrestricted and to read commands from standard input. Afterwards, the backdoor passes the specified command to the interpreter and sends the output to the operator.
0x09Compress and download a directoryWinorDLL64 recursively iterates over a specified directory. The content of each file and directory is compressed separately and written to a temporary file that is afterwards sent to the operator and then removed securely.
0x0DDisconnect a sessionDisconnects a specified logged-on user from the user’s Remote Desktop Services session. The command can also perform different functionality based on the parameter.
0x0DList sessionsAcquires various details about all sessions on the victim’s device and sends them to the operator. The command can also perform different functionality based on the parameter.
0x0EMeasure connection timeUses the Windows API GetTickCount to measure the time required to connect to a specified host.
Modified0x01Get system infoAcquires comprehensive details about the victim’s system and sends them to the operator.
0x0ARemove files securelyOverwrites specified files with a block of random data, renames each file to a random name, and finally securely removes them one by one.
0x0CKill processesTerminates all processes whose names match a supplied pattern and/or with a specific PID.
Old0x02/0x0BCreate a processCreates a process either as the current or specified user and optionally sends its output to the operator.
0x05Set/Get current directoryAttempts to set and subsequently acquire the path of the current working directory.
0x06List volumesIterates over drives from C: to Z: and acquires the drive type and volume name. The command can also perform different functionality based on the parameter.
0x06List files in a directoryIterates over files in specified directory and acquires information such as names, attributes, etc. The command can also perform different functionality based on the parameter.
0x07Write to a fileDownloads and appends the stated amount of data to specified file.
0x08Read from a fileThe specified file is read and sent to the operator.
0x0CList processesAcquires details about all running processes on the victim’s device and additionally sends ID of the current process.


Wslink’s payload is dedicated to providing means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged later for lateral movement, due to specific interest in network sessions. The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads.

WinorDLL64 contains an overlap in the development environment, behavior, and code with several Lazarus samples, which indicates that it might be a tool from the vast arsenal of this North-Korea aligned APT group.

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.


SHA-1ESET detection nameDescription
1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257FWin64/Wslink.AMemory dump of discovered Wslink payload WinorDll64.

MITRE ATT&CK techniques

This table was built using version 12 of the ATT&CK framework. We do not mention techniques from the loader again, only the payload.

Resource DevelopmentT1587.001Develop Capabilities: MalwareWinorDLL64 is a custom tool.
ExecutionT1059.001Command and Scripting Interpreter: PowerShellWinorDLL64 can execute arbitrary PowerShell commands.
T1106Native APIWinorDLL64 can execute further processes using the CreateProcessW and CreateProcessAsUserW APIs.
Defense EvasionT1134.002Access Token Manipulation: Create Process with TokenWinorDLL64 can call APIs WTSQueryUserToken and CreateProcessAsUserW to create a process under an impersonated user.
T1070.004Indicator Removal: File DeletionWinorDLL64 can securely remove arbitrary files.
DiscoveryT1087.001Account Discovery: Local AccountWinorDLL64 can enumerate sessions and list associated user, and client names, among other details.
T1087.002Account Discovery: Domain AccountWinorDLL64 can enumerate sessions and list associated domain names –among other details.
T1083File and Directory DiscoveryWinorDLL64 can obtain file and directory listings.
T1135Network Share DiscoveryWinorDLL64 can discover shared network drives.
T1057Process DiscoveryWinorDLL64 can collect information about running processes.
T1012Query RegistryWinorDLL64 can query the Windows registry to gather system information.
T1082System Information DiscoveryWinorDLL64 can obtain information such as computer name, OS and latest service pack version, processor architecture, processor name, and amount of space on fixed drives.
T1614System Location DiscoveryWinorDLL64 can obtain the victim’s default country name using the GetLocaleInfoW API.
T1614.001System Location Discovery: System Language DiscoveryWinorDLL64 can obtain the victim’s default language using the GetLocaleInfoW API.
T1016System Network Configuration DiscoveryWinorDLL64 can enumerate network adapter information.
T1049System Network Connections DiscoveryWinorDLL64 can collect a list of listening ports.
T1033System Owner/User DiscoveryWinorDLL64 can enumerate sessions and list associated user, domain, and client names –among other details.
CollectionT1560.002Archive Collected Data: Archive via LibraryWinorDLL64 can compress and exfiltrate directories using the quicklz library.
T1005Data from Local SystemWinorDLL64 can collect data on the victim’s device.
ImpactT1531Account Access RemovalWinorDLL64 can disconnect a logged-on user from specified sessions.

Latest Posts