Pierluigi Paganini
August 01, 2023
WikiLoader is a new piece of malware that is employed in a phishing campaign that is targeting Italian organizations. Threat actors behind the campaign are using WikiLoader to deliver a banking trojan, stealer, and malware such as Ursnif to the victims’ computers.
The malware supports multiple mechanisms to evade detection, the researchers from Proofpoint called it WikiLoader because the malicious code makes a request to Wikipedia and checks that the response has the string “The Free” in the contents.
“It was first identified in December 2022 being delivered by TA544, an actor that typically uses Ursnif malware to target Italian organizations. Proofpoint observed multiple subsequent campaigns, the majority of which targeted Italian organizations.” reads the post published by Proofpoint. “WikiLoader is a sophisticated downloader with the objective of installing a second malware payload. The malware contains interesting evasion techniques and custom implementation of code designed to make detection and analysis challenging.”
The researchers believe that WikiLoader is offered with the model of malware-as-a-service to multiple cybercriminal groups.
Proofpoint observed discovered at least eight campaigns distributing the malware since December 2022, with the most notable campaigns were observed on 27 December 2022, 8 February 2023, and 11 July 2023.
The attack chain starts with emails containing either weaponized Microsoft Office attachments, or PDF attachments. Proofpoint reported that WikiLoader was distributed by at least two threat actors, TA544 and TA551, both aimed at Italian organizations.
“While most cybercriminal threat actors have pivoted away from macro enabled documents as vehicles for malware delivery, TA544 has continued to use them in attack chains, including to deliver WikiLoader.” continues the report.
Below is an example of mail employed in a campaign observed in December, the message contains a Microsoft Excel attachment spoofing the Italian Revenue Agency
During a campaign observed in February 2023, the attackers impersonated an Italian courier service in their message. The attached Excel file was embedded with VBA macros, which, when activated, initiated the installation process of WikiLoader.
In a campaign observed in July, TA544 used accounting themes to deliver PDF attachments with URLs that led to the download of a zipped JavaScript file that downloads and executes of WikiLoader.
WikiLoader was also designed to retrieve and run a shellcode hosted on Discord, then use it to execute Ursnif.
The researchers believe that the malware is in rapid development and the threat actors are improving it.
“WikiLoader is delivered via activities regularly observed by threat actors, including macro-enabled documents, PDFs containing URLs leading to a JavaScript payload, and OneNote attachments with embedded executables. Thus, user interaction is required to begin the malware installation.” concludes the report. “Organizations should ensure macros are disabled by default for all employees, block the execution of embedded external files within OneNote documents, and ensure JavaScript files are opened by default in a notepad or similar application, by adjusting default file extension associations via group policy object (GPO).”
Follow me on Twitter: @securityaffairs Facebook and Mastodon
(SecurityAffairs – hacking, WikiLoader)
