Weaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware

The Italian organizations, including tax agencies, were targeted by a new malware downloader delivering banking Trojan.

The new loader malware is presently undergoing active development, employing a diverse array of sophisticated mechanisms to evade detection effectively.

This new loader malware was identified by Proofpoint researchers, and they dubbed it “WikiLoader.” This malware was linked to TA544, known as Ursnif, and targets Italian organizations in multiple campaigns since December 2022.

WikiLoader & Campaign Distribution

The sophisticated WikiLoader installs 2nd malware with unique evasion and code implementation for elusive detection and analysis.

Since December 2022, security researchers at Proofpoint found 8 campaigns spreading WikiLoader 2022 via email attachments like:-

  • Excel
  • OneNote
  • PDFs

Moreover, it’s been observed that there are two threat actors actively spreading WikiLoader malware:- 

  • TA544
  • TA551

While the threat group TA544 still uses macro docs for delivering WikiLoader, unlike other cybercriminals. Proofpoint’s initial WikiLoader distribution was seen on 27 Dec 2022. 

Here below, we have mentioned the most notable WikiLoader campaigns:-

  • 27 Dec 2022
  • 8 Feb 2023
  • 11 July 2023

High-volume malicious emails in Italy targeted firms using Excel spoofing Italian Revenue Agency, featuring VBA macros triggering WikiLoader downloader, which was attributed to TA544.

Excel Attachment (Source – ProofPoint)

On 8 Feb 2023, Proofpoint found an updated WikiLoader in an Italian campaign by TA544. VBA-enabled Excel documents led to WikiLoader installing Ursnif with advanced evasion techniques.

Attack Chain

Security analysts marked that TA551 delivered WikiLoader via OneNote attachments with hidden CMD files on 31 March 2023, targeting Italian organizations, and it’s a notable instance with a non-TA544 actor.

While there are some extended malware changes were identified by the cybersecurity analysts in TA544’s high-volume campaign on 11 July 2023.

As they found that the threat actors were using accounting-themed PDFs to deliver WikiLoader via JavaScript.

Threat actors often use packed downloaders for stealth and control. WikiLoader’s first stage is obfuscated with push/jmp instructions, evading analysis tools, and using indirect syscalls to bypass EDR solutions.

Attack Chain (Source – ProofPoint)

The malware used odd paths to mimic compromised hosts, it’s a common tactic by threat actors to use the existing infrastructure without registration.

WikiLoader Evolution

First version – 27 December 2022:-

  • No string encoding within the shellcode layers
  • Structures used for indirect syscalls were simpler
  • Shellcode layers didn’t contain as much obfuscation
  • Fewer APIs were used within the shellcode layer
  • Potentially one less stage of shellcode
  • The fake domain was manually created rather than via automation

Second version – 8 February 2023:-

  • Added complexity to the syscall structure
  • Implemented more busy loops
  • Began using encoded strings
  • Started deleting artifacts from the file download

Third version – 11 July 2023:-

  • Strings are still encoded via skip encoding
  • A new technique for implementing indirect syscalls
  • The second filename is pulled via the MQTT protocol rather than reaching the compromised web hosts
  • Cookies are exfiltrated from the loader which contains basic host information
  • Full execution of the loader takes almost an hour given the abundance of busy loops
  • Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass

IoCs

IoCs (Source – ProofPoint)

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

14 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

14 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

15 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

16 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

16 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

16 hours ago