ESET Resource Center

Under the hood of Wslink’s multilayered virtual machine

March 2022

Under the hood of Wslink’s multilayered virtual machine

ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper, we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample.

During our research, we were able to successfully design and implement a semiautomatic solution capable of significantly facilitating analysis of the underlying program’s code. The virtual machine introduced a diverse arsenal of obfuscation techniques, which we were able to overcome to reveal a part of the de-obfuscated malicious code that we describe in this document.

In the last sections of this analysis, we present parts of the code that we developed to facilitate our research. This white paper also provides an overview of the internal structure of virtual machines in general, and it introduces some important terms and frameworks that are used in our detailed analysis of the Wslink virtual machine.

Don't miss out

PREMIUM CONTENT

WHITE PAPERS


Extended Detection and Response (XDR) Buyer's Guide

Uncover the key benefits of an XDR solution, what to look for when considering purchasing one, and how ESET can guide you through the whole process.

PREMIUM CONTENT

WHITE PAPERS


Cyber Threat Intelligence: A Comprehensive Guide to Your Threat Defence

Why do organizations need Cyber Threat Intelligence and what should you look for when choosing a Threat Intelligence provider? Learn more from ESET’s brand-new guide!

PREMIUM CONTENT

HANDBOOKS


Cybersecurity Insurance for Enterprises: Making an Educated Decision

Learn about why cybersecurity insurance has become a crucial tool in preventing companies from being shut down after an attack, and how to strengthen your posture.

Ready for next step?

Enter the world of enterprise protection