HQ/EMEAFind out how we can help your business
A new cybercriminal campaign uses the WikiLoader malware to drop another trojan after infection. The malware allegedly got its name from Wikipedia and its later reviews whether the response has ‘The Free’ string in the contents.
Researchers believe malware operators adopt this strategy to remain under the radar during infection.
Recent research has discovered the WikiLoader campaign in about eight cybercriminal campaigns that have targeted Italian organisations since December last year. These operations used emails with MS OneNote, PDF, or MS Excel attachments. Next, once a user accesses these files, it will deploy the Ursnif payload.
Based on reports, numerous threat groups leverage WikiLoader despite being widely adopted by TA544 APT. The other advanced persistent threat group that constantly uses the malware is TA551 APT.
The WikiLoader currently has three different versions.
There are three versions of the WikiLoader malware. This detail implies that the malware developers are still developing the malware.
Researchers first spotted the first version in a malware campaign that targets Italian organisations in December last year. The campaign impersonated an Italian Revenue Agency. TA544, the alleged operator, utilised few APIs and did not use string within its shellcode layers.
The second version popped out in February, where researchers said that the WikiLoader operators used it in widespread attacks on Italian users. The malware attack mimicked an Italian courier service to launch the Ursnif trojan.
The second version included more complex structures, encoded strings, and additional stalling prompts to bypass automated analysis.
Last month, researchers spotted the third version after it targeted organisations that included Italian entities and other international companies. The actors executed the attack through a zipped JavaScript archive and contained modules to reach infected web hosts, exfiltrate host details through HTTP cookies and process shell code.
The WikiLoader malware could aid numerous cybercriminals since it could function as an Initial Access Broker to deliver additional malware payloads, such as Ursnif in its second appearance in the wild.
Organisations and network securities should employ the IOCs related to the malware to know more about its TTPs and upgrade defences to remain safe from such threats.
