Experts Detail Virtual Machine Used by Wslink Malware Loader for Obfuscation

Cybersecurity researchers have shed more light on a malicious loader that runs as a server and executes received modules in memory, laying bare the structure of an “advanced multi-layered virtual machine” used by the malware to fly under the radar.

Wslink, as the malicious loader is called, was first documented by Slovak cybersecurity company ESET in October 2021, with very few telemetry hits detected in the past two years spanning Central Europe, North America, and the Middle East.

Analysis of the malware samples have yielded little to no clues about the initial compromise vector used, and no code, functionality, or operational similarities have been uncovered to suggest that this is a tool from a previously identified threat actor.

Packed with a file compression utility named NsPack, Wslink makes use of what’s called a process virtual machine (VM), a mechanism to run an application in a platform-independent manner that abstracts the underlying hardware or operating system, as an obfuscation method but with a crucial difference.

“Virtual machines used as obfuscation engines […] are not intended to run cross-platform applications and they usually take machine code compiled or assembled for a known ISA [instruction set architecture], disassemble it, and translate that to their own virtual ISA,” ESET malware analyst Vladislav Hrčka said.

“The strength of this obfuscation technique resides in the fact that the ISA of the VM is unknown to any prospective reverse engineer – a thorough analysis of the VM, which can be very time-consuming, is required to understand the meaning of the virtual instructions and other structures of the VM.”

What’s more, the virtualized Wslink malware package comes with a diverse arsenal of tactics to hamper reverse engineering, including junk code, encoding of virtual operands, merging of virtual instructions, and the use of a nested virtual machine.

“Obfuscation techniques are a kind of software protection intended to make code hard to understand and hence conceal its objectives; obfuscating virtual machine techniques have become widely misused for illicit purposes such as obfuscation of malware samples, since they hinder both analysis and detection,” Hrčka said.