Researchers at Proofpoint discovered a new malware. This form of malware submits a request to Wikipedia and checks whether the reply contains the words 'The Free'. The researchers therefore call the malware WikiLoader.
Figure 1: screenshot of the loader checking the Wikipedia URL, displayed in an internet browser.
WikiLoader was first discovered in December 2022. TA544, an actor typically using Ursnif malware when targeting Italian organisations, delivered the malware. Proofpoint observed multiple follow-up campaigns targeting Italian organisations. WikiLoader is an advanced downloader aimed at installing a second malware payload. WikiLoader contains interesting evasion techniques and custom implementation codes which makes detection and analysis of this malware very difficult. It was probably developed as malware to be rented out to selected cybercriminal threat actors. Proofpoint expects mainly Initial Access Brokers, IABs, to use this malware.
So far, Proofpoint saw WikiLoader delivering Ursnif as a second-stage payload. But, as multiple threat actors are using this malware, it is possible that more cybercrime actors - especially cybercriminals using IABs - will use WikiLoader as a means of delivering additional malware payloads in the future.
Selena Larson, senior threat intelligence analyst at Proofpoint: "WikiLoader is an advanced, new malware that has recently emerged in the cybercriminal threat landscape. The malware has so far been associated with campaigns delivering Ursnif. WikiLoader is currently under active development and it seems that its authors are making regular changes in the hope of remaining undetected and under the radar. It is very likely that more criminal threat actors are using this malware, especially criminals known as 'Initial Access Brokers (IABs)'. They regularly carry out activities that lead to ransomware. Defenders should be aware of WikiLoader and activities involved in delivering payloads. And they should take action to protect their organisation from exploitation."
Based on this analysis, Proofpoint is convinced that this malware is developing rapidly. The company also expects actors to make the loader more complicated, making the payload harder to track.
Threat actors deliver WikiLoader via activities they observe regularly. Examples include documents with macros, PDF files with URLs leading to a JavaScript payload and OneNote attachments with embedded executables. To initiate malware installation, user interaction is required. Organisations can put a stop to this by disabling macros by default for all employees, blocking the execution of embedded external OneNote documents and allowing JavaScript files to open automatically via Notepad (or similar application) by modifying default file extension associations via Group Policy Object (GPO).
Examples of WikiLoader
Since December 2022, cybersecurity researchers discovered at least eight campaigns distributing WikiLoader. For example, via emails that had an attachment containing a Microsoft Excel, Microsoft OneNote or PDF document. Proofpoint also found that TA544 and TA551 spread the malware. Which is remarkable, since most cybercriminals no longer use macro documents when spreading malware.
On 27 December 2022, researchers observed the first campaign (see Figure 2). In this, WikiLoader was spread via a large amount of malicious spoofing emails. The emails targeted Italian companies and contained an Excel attachment with which the criminals mimicked the Italian Tax Authority. The emails also contained characteristic VBA macros that, when enabled by the recipient, download a new unidentified downloader (WikiLoader). Proofpoint attributed this campaign to TA544.
Figure 1. Original Charming Kitten approach via a benign email.
Image 2: A screenshot of an Excel attachment what was deployed on 27 December 2022 during a WikiLoader campaign.
On 8 February 2023, Proofpoint researchers discovered an updated version of WikiLoader, spoofing an Italian delivery service. This campaign was again distributed via an Excel attachment and contained VBA macros that, once the recipient enabled them, led to the installation of WikiLoader which then downloaded Ursnif. Although this version, like its predecessor, was distributed via Excel, this form was more complex in structure and had additional blocking mechanisms used in bypassing automated mechanisms and using encrypted strings of characters.
Figure 3: An Excel document with macros used during the 8 February 2023 attack.
On 31 March 2023, TA551 delivered WikiLoader via a OneNote attachment. This attachment contained hidden CMD files behind an 'open' button. Once the recipient clicked the button, the malware was downloaded and installed. This campaign again targeted Italian companies. It was the first time that an actor other than TA544 used WikiLoader.
Researchers recently identified additional changes to the protocol used in the actively developed malware. In this campaign, which took place on 11 July 2023, TA544 used accounting themes to send PDF attachments. URLs in this file led to a zipped JavaScript file. Once this file was executed, WikiLoader was downloaded and executed. This campaign consisted of 150,000 messages and, unlike its predecessors, no longer focused exclusively on Italian organisations.
Figure 4: Example of an email from the 11 July 2023 attack.
Read more about cybersecurity click here.