Proofpoint researchers have identified a new malware, called WikiLoader, active in the wild. The malware gets its name from the way it makes a request to Wikipedia and later checks whether the response has ‘The Free’ string in the contents. This is believed to be a tactic adopted by the malware to stay under the radar during the infection process.
Key findings
WikiLoader has been discovered in at least eight campaigns targeting Italian organizations since December 2022.
These campaigns leveraged emails containing either Microsoft Excel attachments, Microsoft OneNote attachments, or PDF attachments, causing the download of Ursnif as a follow-on payload.
While a majority of these campaigns were linked to TA544 APT, on March 31, WikiLoader was delivered by TA551 APT, indicating that the malware is used by multiple threat actors.
Variants of WikiLoader
So far, there are three versions of the malware, which signifies it is still under active development.
The first version of the malware was observed in an attack campaign on December 27, 2022, targeting companies in Italy. The campaign spoofed an Italian Revenue Agency and was attributed to TA544.
It used few APIs and had no string encoded within the Shellcode layers.
On February 8, 2023, researchers found the second version of WikiLoader used in high-volume attacks targeting Italian users. The campaign spoofed an Italian courier service to deploy the Ursnif trojan.
This version of WikiLoader contained more complex structures, encoded strings, and additional stalling mechanisms to evade automated analysis.
On July 11, 2023, a third version of the malware surfaced, targeting organizations that included not limited to Italy. The version was executed via a zipped JavaScript file and included modules to reach compromised web hosts, exfiltrate host information via HTTP cookies, and process shell code.
Bottomline
Given its usage by multiple threat actors and evolution, researchers believe that WikiLoader can benefit criminals operating as Initial Access Brokers (IABs) in the future to deliver additional malware payloads. Organizations and network defenders must leverage IOCs related to the malware to understand the current attack patterns and enhance the defense approaches to stay safe.