Unique and undocumented malicious loader that runs as a server


ESET researchers have found a hitherto unknown loader for Windows binaries that runs as a server and executes received modules in memory, unlike conventional loaders. We’ve given this new virus the moniker Wslink, which is the name of one of its DLLs.

The modules don’t have to create new outbound connections because they reuse the loader’s routines for communication, keys, and sockets. Wslink also includes a welldeveloped encryption protocol to protect the data being exchanged.

Read More…