WailingCrab Malware

Infosec researchers are warning that emails with a delivery and shipping theme are being employed as a means to distribute a sophisticated malware loader called WailingCrab. This malware comprises several components, including a loader, injector, downloader and backdoor. Successful communication with Command-and-Control (C2, C&C) servers is frequently required to fetch the subsequent stage of the malware.

Threat Actors are Actively Developing the WailingCrab Malware

Researchers initially identified WailingCrab In August 2023 after uncovering its involvement in attack campaigns against Italian organizations. This malware served as a conduit for deploying the Ursnif Trojan (also known as Gozi). The mastermind behind WailingCrab is the threat actor TA544, also recognized as Bamboo Spider and Zeus Panda.

Continuously maintained by its operators, the malware exhibits features designed for stealth, enabling it to thwart analysis efforts better. To enhance its covert nature, the malware initiates C2 communications through legitimate but compromised websites.

Furthermore, components of the malware are stored on widely-used platforms like Discord. Notably, a significant modification to the malware's behavior since mid-2023 involves the adoption of MQTT, a lightweight messaging protocol intended for small sensors and mobile devices, for C2 communication. This protocol is relatively uncommon in the threat landscape, with only a few instances of its use, as previously observed in cases like Tizi and MQsTTang.

The Attack Chain for the Delivery of the WailingCrab Malware

The attack sequence initiates with emails containing PDF attachments harboring URLs. Clicking these URLs triggers the download of a JavaScript file designed to fetch and execute the WailingCrab loader hosted on Discord.

The loader's role is to initiate the subsequent stage, launching a shellcode that serves as an injector module. This, in turn, triggers the execution of a downloader responsible for deploying the ultimate backdoor. In earlier iterations, this component would directly download the backdoor, hosted as an attachment on the Discord CDN.

The most recent version of WailingCrab encrypts the backdoor component with AES. Instead of downloading the backdoor, it reaches out to its C2 server to acquire a decryption key for decrypting the backdoor. The backdoor, acting as the malware's core, establishes persistence on the infected host and communicates with the C2 server via the MQTT protocol to receive additional payloads.

Moreover, the latest variants of the backdoor abandon the Discord-based download path in favor of a shellcode-based payload directly from the C2 through MQTT. This shift to using the MQTT protocol by WailingCrab signifies a deliberate focus on enhancing stealth and evading detection. The newer versions of WailingCrab also eliminate the reliance on Discord for payload retrieval, further augmenting its stealth capabilities.