Experts Detail Virtual Machine Used by Wslink Malware Loader for Obfuscation

Cybersecurity researchers have shed more light on a malicious loader that runs as a server and executes received modules in memory, laying bare the structure of an “advanced multi-layered virtual machine” used by the malware to fly under the radar.

Wslink, as the malicious loader is called, was first documented by Slovak cybersecurity company ESET in October 2021, with very few telemetry hits detected in the past two years spanning Central Europe, North America, and the Middle East.

Analysis of the malware samples has yielded little to no clues about the initial compromise vector used, and no code, functionality, or operational similarities have been uncovered to suggest that this is a tool from a previously identified threat actor.

Packed with a file compression utility named NsPack, Wslink makes use of what’s called a process virtual machine (VM), a mechanism to run an application in a platform-independent manner that abstracts the underlying hardware or operating system, as an obfuscation method but with a crucial difference.

“Virtual machines used as obfuscation engines […] are not intended to run cross-platform applications and they usually take machine code compiled or assembled for a known ISA [instruction set architecture], disassemble it, Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *