Delivery- and shipping-themed email messages are being used to deliver a sophisticated malware loader known as WailingCrab.
“The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage,” IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said.
WailingCrab, also called WikiLoader, was first documented by Proofpoint in August 2023, detailing campaigns targeting Italian organizations that used the malware to ultimately deploy the Ursnif (aka Gozi) trojan. It was spotted in the wild in late December 2022.
The malware is the handiwork of a threat actor known as TA544, which is also tracked as Bamboo Spider and Zeus Panda. IBM X-Force has named the cluster Hive0133.
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.
Actively maintained by its operators, the malware has been observed incorporating features that prioritize stealth and allows it to resist analysis efforts. To further lower the chances of detection, legitimate, hacked websites are used for initial command-and-control (C2) communications.
What’s more, components of the malware are stored on well-known platforms such as Discord. Another noteworthy change to the malware since mid-2023 is the use of MQTT, a lightweight messaging protocol for small sensors and mobile devices, for C2.
The loader is responsible for launching the next-stage shellcode, an injector module that, in turn, kick-starts the execution of a downloader to deploy the backdoor ultimately.
“In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN,” the researchers said.
“However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor.”
The backdoor, which acts as the malware’s core, is designed to establish persistence on the infected host and contact the C2 server using the MQTT protocol to receive additional payloads.
On top of that, newer variants of the backdoor eschew a Discord-based download path in favor of a shellcode-based payload directly from the C2 via MQTT.
“The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion,” the researchers concluded. “The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness.”
“Discord has become an increasingly common choice for threat actors looking to host malware, and as such it is likely that file downloads from the domain will start coming under higher levels of scrutiny. Therefore, it is not surprising that the developers of WailingCrab decided on an alternative approach.”
The abuse of Discord’s content delivery network (CDN) for distributing malware hasn’t gone unnoticed by the social media company, which told Bleeping Computer earlier this month that it will switch to temporary file links by the end of the year.
var share_url = encodeURIComponent(‘https://thehackernews.com/2023/11/alert-new-wailingcrab-malware-loader.html’);
var share_title = document.getElementsByTagName(“title”).innerHTML;
share_title = encodeURIComponent(share_title);
Đăng ký liền tay Nhận Ngay Bài Mới
Cám ơn bạn đã đăng ký !
Lỗi đăng ký !