WikiLoader (WailingCrab) – Malware

Overview

WikiLoader functions as an intricate downloader, primarily aiming to install a secondary malware payload. Its design incorporates sophisticated evasion tactics and custom code implementation, rendering detection and analysis efforts arduous. Evidently, WikiLoader appears to have been crafted as a rentable malware service catering to specific cybercriminal entities. Notably, the malware earns its moniker “WikiLoader” due to its behavior of sending requests to Wikipedia, checking for the presence of the string “The Free” in the response content. This activity likely serves as a subtle verification mechanism, confirming its connection to the public internet. Research conducted by Proofpoint revealed the existence of at least eight distribution campaigns of WikiLoader spanning from December 2022 to July 2023. These campaigns typically commence with malicious emails featuring attachments such as Microsoft Excel, Microsoft OneNote, or PDF files. Furthermore, Proofpoint’s investigation identified two threat actors, namely TA544 and TA551, orchestrating the dissemination of WikiLoader, primarily focusing their efforts on targeting entities within Italy. However, recent observations indicate a shift in tactics, with the emergence of Hive0133 targeting organizations beyond Italy, deploying email campaigns to distribute WailingCrab. These campaigns often exploit themes such as overdue deliveries or shipping invoices to lure unsuspecting victims.

Targets

Italian Organizations.

Techniques Used

Since its creation, WailingCrab has relied on email spam campaigns to distribute its malware. Clicking on malicious URLs in these emails triggers the download and execution of JScript files, initiating the WailingCrab loader, often hosted as a Discord attachment. The malware consists of several components, including a loader, injector, downloader, and backdoor, with communication to C2 servers for retrieving subsequent stages. To evade detection, WailingCrab leverages legitimate but compromised websites for initial C2 communications and utilizes well-known platforms like Discord to host payloads. Furthermore, the malware employs code obfuscation, anti-analysis, and anti-sandbox techniques to conceal its activity. Its core backdoor component communicates with C2 servers using the MQTT protocol, known for lightweight IoT messaging. The malware’s multi-stage loader, WikiLoader, employs obfuscation techniques to hinder analysis tools and uses indirect syscalls to evade endpoint detection and response solutions. Each stage decrypts the subsequent one, with the main loader functionality in stage three, employing string decoding for commands. Additionally, the loader downloads shellcode from Discord, ultimately delivering the Ursnif banking trojan. Newer versions of WailingCrab adopt an updated C2 communication protocol, utilizing client-specific topics in MQTT for stealth and evasion. This change aims to evade detection by security solutions, exploiting the protocol’s uncommon use in malware. However, the shift away from centralized communication has complicated monitoring for security researchers, hindering their ability to observe and analyze the malware’s activity effectively.

Variants

Proofpoint researchers have observed at least three different versions of the malware, which indicates it is undergoing active development. The following is a timeline with the relevant differences and updates observed in each version. First version | 27 December 2022 No string encoding within the shellcode layers Structures used for indirect syscalls were simpler Shellcode layers didn’t contain as much obfuscation Fewer APIs were used within the shellcode layer Potentially one less stage of shellcode The fake domain was manually created rather than via automation Second version | 8 February 2023 Added complexity to the syscall structure Implemented more busy loops Began using encoded strings Started deleting artifacts from file download Third version | 11 July 2023 Strings still encoded via skip encoding New technique for implementing indirect syscalls The second filename is pulled via the MQTT protocol rather than reaching the compromised webhosts Cookies are exfiltrated from the loader which contain basic host information Full execution of the loader takes almost an hour given the abundance of busy loops Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass

Significant Malware Campaigns

• Proofpoint researchers discover at least eight campaigns distributing WikiLoader (July 2023)
• Extensively used in email campaigns often against Italian targets (November 2023)
• Novel Threat Actor Campaign Using Fake Law Firm Invoices to Launch Phishing Attacks (March 2024)

References:

• Out of the Sandbox: WikiLoader Digs Sophisticated Evasion
• Stealthy WailingCrab Malware misuses MQTT Messaging Protocol
• Protection Highlight: WikiLoader Returns