Experts have uncovered a new piece of malware, which they dubbed “WikiLoader”. Experts first observed the new malware when it was distributed by TA544 (Threat Actor 544), a group of cybercriminals that typically use Ursnif malware in their attacks to target companies primarily in Italy. As a result, Proofpoint was able to observe further cyber campaigns.
WikiLoader is a sophisticated downloader designed to install another malware payload. The newly discovered malware includes remarkable obfuscation techniques and custom code implementations designed to make detection and analysis by cyber forensic scientists more difficult. The developers probably already rent WikiLoader to selected cybercriminal actors.
Based on its observations, Proofpoint believes that this malware is also used by other cybercriminal groups, particularly those acting as initial access brokers (IABs).
Attack campaigns with WikiLoader
Proofpoint experts have uncovered at least eight campaigns in which WikiLoader has been distributed since December 2022. The cyber campaigns started with emails containing either Microsoft Excel attachments, Microsoft OneNote attachments, or PDF attachments. Not only was WikiLoader distributed by TA544, but also by at least one other group, TA551. Both criminal actors focused their attention on Italy. While most cybercriminals have moved away from using macro-based documents as a vehicle for spreading malware, TA544 continues to use them in their attack chains, including to spread WikiLoader.
The most notable WikiLoader campaigns were observed by Proofpoint experts on December 27, 2022, February 8, 2023 and, quite recently, on July 11, 2023. WikiLoader was observed as a follow-up payload after the installation of Ursnif.
Infected Excel, OneNote or PDF attachments
“WikiLoader is a sophisticated new piece of malware that has only recently appeared on the cybercrime landscape and so far has been associated primarily with Ursnif distribution campaigns. It is currently under active development, and its authors appear to be making regular changes to remain undetected and bypass common defenses,” said Selena Larson, Senior Threat Intelligence Analyst at Proofpoint.
“It stands to reason that other cybercriminal groups will use this malware in the foreseeable future, in particular the so-called Initial Access Brokers (IABs). These regularly draw attention to themselves with activities that serve to spread ransomware. Cybersecurity leaders should become familiar with this new malware and the latest activity surrounding its proliferation, and take steps to protect their organizations from infection.”
The Proofpoint experts have compiled their findings about WikiLoader in a detailed, technical investigation and summarized them in an English-language blog post.
More at Proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.