Weaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware

The Italian organizations, including tax agencies, were targeted by a new malware downloader delivering banking Trojan.

The new loader malware is presently undergoing active development, employing a diverse array of sophisticated mechanisms to evade detection effectively.

This new loader malware was identified by Proofpoint researchers, and they dubbed it “WikiLoader.” This malware was linked to TA544, known as Ursnif, and targets Italian organizations in multiple campaigns since December 2022.

WikiLoader & Campaign Distribution

The sophisticated WikiLoader installs 2nd malware with unique evasion and code implementation for elusive detection and analysis.

Since December 2022, security researchers at Proofpoint found 8 campaigns spreading WikiLoader 2022 via email attachments like:-

• Excel
• OneNote
• PDFs

Moreover, it’s been observed that there are two threat actors actively spreading WikiLoader malware:- 

• TA544
• TA551

While the threat group TA544 still uses macro docs for delivering WikiLoader, unlike other cybercriminals. Proofpoint’s initial WikiLoader distribution was seen on 27 Dec 2022. 

Here below, we have mentioned the most notable WikiLoader campaigns:-

• 27 Dec 2022
• 8 Feb 2023
• 11 July 2023

High-volume malicious emails in Italy targeted firms using Excel spoofing Italian Revenue Agency, featuring VBA macros triggering WikiLoader downloader, which was attributed to TA544.

On 8 Feb 2023, Proofpoint found an updated WikiLoader in an Italian campaign by TA544. VBA-enabled Excel documents led to WikiLoader installing Ursnif with advanced evasion techniques.

Attack Chain

Security analysts marked that TA551 delivered WikiLoader via OneNote attachments with hidden CMD files on 31 March 2023, targeting Italian organizations, and it’s a notable instance with a non-TA544 actor.

While there are some extended malware changes were identified by the cybersecurity analysts in TA544’s high-volume campaign on 11 July 2023.

As they found that the threat actors were using accounting-themed PDFs to deliver WikiLoader via JavaScript.

Threat actors often use packed downloaders for stealth and control. WikiLoader’s first stage is obfuscated with push/jmp instructions, evading analysis tools, and using indirect syscalls to bypass EDR solutions.

The malware used odd paths to mimic compromised hosts, it’s a common tactic by threat actors to use the existing infrastructure without registration.

WikiLoader Evolution

First version – 27 December 2022:-

• No string encoding within the shellcode layers
• Structures used for indirect syscalls were simpler
• Shellcode layers didn’t contain as much obfuscation
• Fewer APIs were used within the shellcode layer
• Potentially one less stage of shellcode
• The fake domain was manually created rather than via automation

Second version – 8 February 2023:-

• Added complexity to the syscall structure
• Implemented more busy loops
• Began using encoded strings
• Started deleting artifacts from the file download

Third version – 11 July 2023:-

• Strings are still encoded via skip encoding
• A new technique for implementing indirect syscalls
• The second filename is pulled via the MQTT protocol rather than reaching the compromised web hosts
• Cookies are exfiltrated from the loader which contains basic host information
• Full execution of the loader takes almost an hour given the abundance of busy loops
• Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass

IoCs

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.