The Italian organizations, including tax agencies, were targeted by a new malware downloader delivering banking Trojan.
The new loader malware is presently undergoing active development, employing a diverse array of sophisticated mechanisms to evade detection effectively.
This new loader malware was identified by Proofpoint researchers, and they dubbed it “WikiLoader.” This malware was linked to TA544, known as Ursnif, and targets Italian organizations in multiple campaigns since December 2022.
The sophisticated WikiLoader installs 2nd malware with unique evasion and code implementation for elusive detection and analysis.
Since December 2022, security researchers at Proofpoint found 8 campaigns spreading WikiLoader 2022 via email attachments like:-
Moreover, it’s been observed that there are two threat actors actively spreading WikiLoader malware:-
While the threat group TA544 still uses macro docs for delivering WikiLoader, unlike other cybercriminals. Proofpoint’s initial WikiLoader distribution was seen on 27 Dec 2022.
Here below, we have mentioned the most notable WikiLoader campaigns:-
High-volume malicious emails in Italy targeted firms using Excel spoofing Italian Revenue Agency, featuring VBA macros triggering WikiLoader downloader, which was attributed to TA544.
On 8 Feb 2023, Proofpoint found an updated WikiLoader in an Italian campaign by TA544. VBA-enabled Excel documents led to WikiLoader installing Ursnif with advanced evasion techniques.
Security analysts marked that TA551 delivered WikiLoader via OneNote attachments with hidden CMD files on 31 March 2023, targeting Italian organizations, and it’s a notable instance with a non-TA544 actor.
While there are some extended malware changes were identified by the cybersecurity analysts in TA544’s high-volume campaign on 11 July 2023.
As they found that the threat actors were using accounting-themed PDFs to deliver WikiLoader via JavaScript.
Threat actors often use packed downloaders for stealth and control. WikiLoader’s first stage is obfuscated with push/jmp instructions, evading analysis tools, and using indirect syscalls to bypass EDR solutions.
The malware used odd paths to mimic compromised hosts, it’s a common tactic by threat actors to use the existing infrastructure without registration.
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …
INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…
Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…
A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…
Recent research has linked a series of cyberattacks to The Mask group, as one notable…
RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…