WikiLoader Malware

A new phishing campaign is targeting organizations in Italy, utilizing a newly discovered strain of malware named WikiLoader. This sophisticated downloader has a primary objective of installing a second payload of malware on compromised devices. To avoid detection, WikiLoader employs multiple evasion mechanisms, indicating that it might have been designed as a malware-for-hire, available to specific cybercriminal threat actors. The name 'WikiLoader' is derived from the malware's behavior of making a request to Wikipedia and verifying if the response contains the string 'The Free.'

The first sighting of this malware in the wild occurred on December 27, 2022, in connection with an intrusion set operated by a threat actor known as TA544, also identified as Bamboo Spider and Zeus Panda. Notably, the final payload in WikiLoader infections appears to be Ursnif (Gozi). This is a notorious malware threat equipped with banking Trojan, stealer and spyware capabilities.

Cybercriminals Use Phishing Lures to Deliver WikiLoader

The phishing campaigns connected to WikiLoader revolve around the use of emails containing various attachments like Microsoft Excel, Microsoft OneNote or PDF files. These attachments act as lures to deploy the downloader payload, which, in turn, facilitates the installation of the Ursnif malware.

An interesting observation is that WikiLoader, the malware responsible for the initial infection, seems to be shared among multiple cybercrime groups. One such group, known as TA551 or Shathak, has been recently observed using WikiLoader in its activities as of late March 2023.

In mid-July 2023, further campaigns carried out by the threat actor TA544 employed accounting-themed PDF attachments. These attachments contained URLs that, when clicked, led to the delivery of a ZIP archive file. Within this archive, a JavaScript file is responsible for downloading and executing the WikiLoader malware, initiating the attack chain.

WikiLoader Employs Sophisticated Evasion Techniques

WikiLoader employs robust obfuscation techniques and employs evasive tactics to bypass endpoint security software, ensuring it avoids detection during automated analysis environments. Furthermore, it is purposefully designed to retrieve and execute a shellcode payload hosted on Discord, ultimately serving as a launchpad for the Ursnif malware.

As indicated by experts, WikiLoader is actively being developed, and its creators regularly implement changes to maintain their covert operations undetected and under the radar.

It is highly probable that more criminal threat actors will adopt WikiLoader, especially those identified as initial access brokers (IABs), known for engaging in activities that often lead to ransomware attacks. Defenders and cybersecurity teams must be alert and informed about this new malware and the intricacies involved in payload delivery. Taking proactive measures to safeguard their organizations against potential exploitation is essential in mitigating its impact.