A sophisticated malware campaign has been detected by researchers, focusing on Italian organizations such as the tax agency, with the use of a downloader called WikiLoader.
Researchers from Proofpoint revealed that this downloader employs various evasion mechanisms to avoid detection and is likely developed by a financially motivated threat actor known as TA544, with intentions to rent it to other cybercriminals. The ultimate goal of WikiLoader is to deliver the infamous Ursnif banking Trojan, a threat that TA544 particularly favors.
The name “WikiLoader” derives from the malware’s behavior, as it makes a request to Wikipedia and checks for the presence of the string “The Free” in the response content. Since December 2022, at least eight campaigns distributing WikiLoader have been observed. These campaigns often initiate with emails containing malicious attachments, such as Microsoft Excel or OneNote files, and regular PDFs. The malware has been distributed by two primary threat actors, TA544 and TA551, both of which target Italian entities.
While some hackers have shifted away from using malicious Microsoft Office macros, TA544 continues to employ them in its attack chains. The Microsoft Excel attachments used by TA544 contained characteristic Visual Basic for Applications (VBA) macros, which, if enabled, would download and execute WikiLoader. The constant modifications to WikiLoader suggest that its authors are actively attempting to remain undetected and evade scrutiny.
Proofpoint’s senior threat intelligence analyst, Selena Larson, speculates that more criminal threat actors, including initial access brokers, might exploit this malware for activities leading to ransomware attacks.
The Ursnif banking Trojan, also known as DreamBot and Gozi ISFB, has been a significant concern since its source code leaked online in 2015. This leak has allowed attackers to create customized and harder-to-detect versions of the Trojan.
Ursnif’s primary focus is on stealing passwords and credentials from victims, specifically targeting the banking and financial sectors. A recent February campaign by TA544 involved an updated version of WikiLoader, spoofing an Italian courier service, which featured additional stalling mechanisms to evade automated analysis and the use of encoded strings. The emergence of such sophisticated campaigns highlights the ongoing challenges in cybersecurity and the importance of staying vigilant against evolving threats.
