[MART] - Daily Diary #480 - Wslink and Process Virtual Machines

CTAS-MAT ctas-mat at appgate.com
Tue Mar 29 21:32:04 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

03/29/2022 - Diary entry #480

In our Daily Diary #442 we covered Packers, used by trusted applications and malware to compress code and/or difficult detection and reverse engineer. At the time, we briefly mentioned packers based on Process Virtual Machines, like Themida and VMProtect.

Process virtual machines are mostly used to execute OS-independent code, like Java Virtual Machine that is used to execute Java compiled code. Packers that used virtualization change the instructions in the original binary to new instructions, that can be interpreted only by the in-memory Virtual Machine. This makes the binary much harder to reverse engineer, because common decompilers cannot identify the instructions and reverse the code back to its assembly representation.

This week a new Loader Malware was disclosed. Named Wslink, it uses a multilayered Process Virtual Machine and other obfuscation techniques to mask the original code of malicious modules and execute them in a stealthy way. Unlike other loaders, it executes as a server, receiving the modules to execute in memory.

Wslink is a very sophisticated threat that can be implemented as part of most malware active nowadays. It's still unknown the threat actors behind Wslink, and only a few samples have been detected in the wild. It's hard to know if a threat this complex is going to evolve or be adopted by other cybercrime groups, but we expect to see new attacks using Wslink, given how harder it makes to detect threats with common security solutions.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220329/bf27f66c/attachment.htm>

More information about the MART mailing list