WikiLoader | |
Additional Names | WailingCrab |
Type of Malware | The malware itself is split into multiple components, including a loader, injector, downloader and backdoor |
Country of Origin | Unknown |
Date of initial activity | 2022 |
Targeted Countries | Italy |
Motivation | Financial Gain |
Attack vectors | Since its inception, WailingCrab has been distributed via email spam campaigns using Microsoft Excel attachments, Microsoft OneNote attachments or PDF attachments.In recent months, Hive0133 has favored the use of PDF attachments containing malicious URLs |
Targeted systems | Windows |
Associated Groups | TA544, TA551, Hive0133. |
Overview
WikiLoader functions as an intricate downloader, primarily aiming to install a secondary malware payload. Its design incorporates sophisticated evasion tactics and custom code implementation, rendering detection and analysis efforts arduous. Evidently, WikiLoader appears to have been crafted as a rentable malware service catering to specific cybercriminal entities.
Notably, the malware earns its moniker “WikiLoader” due to its behavior of sending requests to Wikipedia, checking for the presence of the string “The Free” in the response content. This activity likely serves as a subtle verification mechanism, confirming its connection to the public internet. Research conducted by Proofpoint revealed the existence of at least eight distribution campaigns of WikiLoader spanning from December 2022 to July 2023.
These campaigns typically commence with malicious emails featuring attachments such as Microsoft Excel, Microsoft OneNote, or PDF files. Furthermore, Proofpoint’s investigation identified two threat actors, namely TA544 and TA551, orchestrating the dissemination of WikiLoader, primarily focusing their efforts on targeting entities within Italy. However, recent observations indicate a shift in tactics, with the emergence of Hive0133 targeting organizations beyond Italy, deploying email campaigns to distribute WailingCrab. These campaigns often exploit themes such as overdue deliveries or shipping invoices to lure unsuspecting victims.
Targets
Italian Organizations.
Techniques Used
Since its creation, WailingCrab has relied on email spam campaigns to distribute its malware. Clicking on malicious URLs in these emails triggers the download and execution of JScript files, initiating the WailingCrab loader, often hosted as a Discord attachment. The malware consists of several components, including a loader, injector, downloader, and backdoor, with communication to C2 servers for retrieving subsequent stages.
To evade detection, WailingCrab leverages legitimate but compromised websites for initial C2 communications and utilizes well-known platforms like Discord to host payloads. Furthermore, the malware employs code obfuscation, anti-analysis, and anti-sandbox techniques to conceal its activity. Its core backdoor component communicates with C2 servers using the MQTT protocol, known for lightweight IoT messaging.
The malware’s multi-stage loader, WikiLoader, employs obfuscation techniques to hinder analysis tools and uses indirect syscalls to evade endpoint detection and response solutions. Each stage decrypts the subsequent one, with the main loader functionality in stage three, employing string decoding for commands. Additionally, the loader downloads shellcode from Discord, ultimately delivering the Ursnif banking trojan.
Newer versions of WailingCrab adopt an updated C2 communication protocol, utilizing client-specific topics in MQTT for stealth and evasion. This change aims to evade detection by security solutions, exploiting the protocol’s uncommon use in malware. However, the shift away from centralized communication has complicated monitoring for security researchers, hindering their ability to observe and analyze the malware’s activity effectively.
Variants
Proofpoint researchers have observed at least three different versions of the malware, which indicates it is undergoing active development. The following is a timeline with the relevant differences and updates observed in each version.
First version | 27 December 2022
No string encoding within the shellcode layers
Structures used for indirect syscalls were simpler
Shellcode layers didn’t contain as much obfuscation
Fewer APIs were used within the shellcode layer
Potentially one less stage of shellcode
The fake domain was manually created rather than via automation
Second version | 8 February 2023
Added complexity to the syscall structure
Implemented more busy loops
Began using encoded strings
Started deleting artifacts from file download
Third version | 11 July 2023
Strings still encoded via skip encoding
New technique for implementing indirect syscalls
The second filename is pulled via the MQTT protocol rather than reaching the compromised webhosts
Cookies are exfiltrated from the loader which contain basic host information
Full execution of the loader takes almost an hour given the abundance of busy loops
Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass
Significant Malware Campaigns
- Proofpoint researchers discover at least eight campaigns distributing WikiLoader (July 2023)
- Extensively used in email campaigns often against Italian targets (November 2023)
- Novel Threat Actor Campaign Using Fake Law Firm Invoices to Launch Phishing Attacks (March 2024)
References:
- Out of the Sandbox: WikiLoader Digs Sophisticated Evasion
- Stealthy WailingCrab Malware misuses MQTT Messaging Protocol
- Protection Highlight: WikiLoader Returns