Proofpoint identifies WikiLoader, a sophisticated downloader used in multiple Italian-focused campaigns, notable for its evasion techniques and modular, multi-stage chain that culminates in Ursnif delivery. The malware is thought to be rentable to multiple cybercriminal groups, with WikiLoader’s behavior including checks against automated analysis and use of unconventional infrastructure like Discord and Wikipedia.
#WikiLoader #TA544
#WikiLoader #TA544
Keypoints
- WikiLoader is a new downloader identified by Proofpoint and linked to Ursnif as a follow-on payload.
- Campaigns delivering WikiLoader targeted Italian organizations and involved multiple actors (TA544 and TA551).
- The malware employs extensive evasion techniques, including obfuscated code, indirect syscalls, and busy loops to hinder analysis.
- Delivery relied on macro-enabled documents (Excel), OneNote attachments, and PDFs with embedded or linked payloads.
- WikiLoader uses a packed loader with multi-stage shellcode and checks connectivity to Wikipedia to avoid detonation in sandboxes.
- Its evolution shows increasing complexity and potential for wider use by initial access brokers (IABs).
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – “Campaigns began with emails containing either Microsoft Excel attachments, Microsoft OneNote attachments, or PDF attachments.”
- [T1059.005] Command and Scripting Interpreter: Visual Basic – “The Microsoft Excel attachments contained characteristic VBA macros which, if enabled by the recipient, would download and execute a new unidentified downloader that Proofpoint researchers eventually dubbed WikiLoader.”
- [T1105] Ingress Tool Transfer – “would download and execute a new unidentified downloader”
- [T1055] Process Injection – “The malware starts by finding the address of NtCreateThreadEx which allows it to spawn a thread pointing to GetModuleFileNameA.”
- [T1027] Obfuscated/Compressed Files and Information – “The first stage of WikiLoader is highly obfuscated. Most of the call instructions have been replaced with a combination of push/jmp…”
- [T1497] Virtualization/Sandbox Evasion – “indirect syscalls in an attempt to evade endpoint detection and response (EDR) solutions and sandbox hooks.”
- [T1071.001] Web Protocols – “The loader makes an HTTPS request to Wikipedia.com and checks that the response has the string ‘The Free’ in the contents.”
- [T1041] Exfiltration Over C2 Channel – “exfiltration of host information via HTTP cookies.”
Indicators of Compromise
- [URL] Context – hxxps://cdn[.]discordapp[.]com/attachments/1128405963062378558/1128406314452799499/dw4qdkjbqwijhdhbwqjid.iso, hxxps://cdn[.]discordapp[.]com/attachments/1124390807626076192/1128383419970240662/s42.iso
- [Domain] Context – sunniznuhqan[.]com, inspiration-canopee[.]fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php?id=1
- [URL] Context – hxxps://www[.]p-e-c[.]nl/wp-content/themes/twentytwentyone/hudiiiwj1.php?id=1
- [URL] Context – hxxps://vivalisme[.]fr/forms/forms/kiikxnmlogx/frrydjqb/vendor/9818hd218hd21.php?id=1
- [SHA256] Context – 69a6476d6f7b312cc0d9947678018262737417e02ebfe168f8d17babed24d657, e0a1ffff9d5c6eaaa2e57548d8db2febbe89441a76f58feae8256ab69f64c88b
Read more: https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion