ESET Resource Center
March 2022
ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper, we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample.
During our research, we were able to successfully design and implement a semiautomatic solution capable of significantly facilitating analysis of the underlying program’s code. The virtual machine introduced a diverse arsenal of obfuscation techniques, which we were able to overcome to reveal a part of the de-obfuscated malicious code that we describe in this document.
In the last sections of this analysis, we present parts of the code that we developed to facilitate our research. This white paper also provides an overview of the internal structure of virtual machines in general, and it introduces some important terms and frameworks that are used in our detailed analysis of the Wslink virtual machine.
Don't miss out
PREMIUM CONTENT
REPORTS
ESET a 'Leader' in IDC MarketScape 2024
ESET has been recognized as a 'Leader' and twice as a Major Player in three Modern Endpoint Security IDC MarketScape reports. Learn more!
PREMIUM CONTENT
REPORTS
Radicati APT Protection Market Quadrant 2024
ESET has been named a 'Top Player' by Radicati in the Advanced Persistent Threat Market Quadrant 2024. See the evaluation!
PREMIUM CONTENT
WHITE PAPERS
NIS2 Compliance: Board-Level Awareness and Action Strategies
Learn how to leverage NIS2 as a business enabler with ESET's insights on how to talk to the board from CISO perspective about the importance and full adoption of the directive.
Ready for next step?
Enter the world of enterprise protection