Cyber Crime

WikiLoader malware-as-a-service targets Italian organizations

Threat actors are targeting Italian organizations with a phishing campaign aimed at delivering a new malware called WikiLoader.

WikiLoader is a new piece of malware that is employed in a phishing campaign that is targeting Italian organizations. Threat actors behind the campaign are using WikiLoader to deliver a banking trojan, stealer, and malware such as Ursnif to the victims’ computers.

The malware supports multiple mechanisms to evade detection, the researchers from Proofpoint called it WikiLoader because the malicious code makes a request to Wikipedia and checks that the response has the string “The Free” in the contents. 

“It was first identified in December 2022 being delivered by TA544, an actor that typically uses Ursnif malware to target Italian organizations. Proofpoint observed multiple subsequent campaigns, the majority of which targeted Italian organizations.” reads the post published by Proofpoint. “WikiLoader is a sophisticated downloader with the objective of installing a second malware payload. The malware contains interesting evasion techniques and custom implementation of code designed to make detection and analysis challenging.”

The researchers believe that WikiLoader is offered with the model of malware-as-a-service to multiple cybercriminal groups.

Proofpoint observed discovered at least eight campaigns distributing the malware since December 2022, with the most notable campaigns were observed on 27 December 2022, 8 February 2023, and 11 July 2023.

The attack chain starts with emails containing either weaponized Microsoft Office attachments, or PDF attachments. Proofpoint reported that WikiLoader was distributed by at least two threat actors, TA544 and TA551, both aimed at Italian organizations.

“While most cybercriminal threat actors have pivoted away from macro enabled documents as vehicles for malware delivery, TA544 has continued to use them in attack chains, including to deliver WikiLoader.” continues the report.

Below is an example of mail employed in a campaign observed in December, the message contains a Microsoft Excel attachment spoofing the Italian Revenue Agency

During a campaign observed in February 2023, the attackers impersonated an Italian courier service in their message. The attached Excel file was embedded with VBA macros, which, when activated, initiated the installation process of WikiLoader.

In a campaign observed in July, TA544 used accounting themes to deliver PDF attachments with URLs that led to the download of a zipped JavaScript file that downloads and executes of WikiLoader.

WikiLoader was also designed to retrieve and run a shellcode hosted on Discord, then use it to execute Ursnif.

The researchers believe that the malware is in rapid development and the threat actors are improving it.

“WikiLoader is delivered via activities regularly observed by threat actors, including macro-enabled documents, PDFs containing URLs leading to a JavaScript payload, and OneNote attachments with embedded executables. Thus, user interaction is required to begin the malware installation.” concludes the report. “Organizations should ensure macros are disabled by default for all employees, block the execution of embedded external files within OneNote documents, and ensure JavaScript files are opened by default in a notepad or similar application, by adjusting default file extension associations via group policy object (GPO).”

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WikiLoader)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

2 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

15 hours ago

Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly…

15 hours ago

US government sanctions twelve Kaspersky Lab executives

The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned twelve Kaspersky Lab executives for their…

1 day ago

Experts found a bug in the Linux version of RansomHub ransomware

The RansomHub ransomware operators added a Linux encryptor to their arsenal, the version targets VMware…

2 days ago

UEFICANHAZBUFFEROVERFLOW flaw in Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC and server models

A serious vulnerability (CVE-2024-0762) in the Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC…

2 days ago

This website uses cookies.