WikiLoader Delivery Spikes in February 2024

EclecticIQ observed a spike in WikiLoader deliveries in February 2024, highlighting renewed use of phishing PDFs that link to compressed JavaScript stagers which then download final payloads. Analysts note WikiLoader operates as a selective Malware-as-a-Service frequently used to deploy banking malware such as Ursnif. #WikiLoader #Ursnif

Keypoints

Delivery of WikiLoader increased in February 2024, with sample uploads visible on MalwareBazaar.
WikiLoader is a downloader/MaaS first observed in 2022 and often used to deploy banking malware like Ursnif.
Threat actors TA544 and TA551 have been linked to WikiLoader campaigns targeting organizations in Europe and Japan.
Typical infection chain: phishing email → PDF with malicious URL → compressed JavaScript stager → final payload download.
Evasion techniques include code obfuscation and use of indirect system calls to avoid anti-malware detection.
Main delivery vectors: macro-enabled Office documents, PDFs containing URLs to JavaScript payloads, and OneNote attachments with embedded executables.
Recommended mitigations: Sigma detection rules for suspicious Office child processes and script execution, block/whitelist wscript.exe, disable macros, enforce 2FA, and prevent OneNote-embedded executable execution.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – Used as the initial vector via attachments: (‘The infection process typically begins with a phishing email that contains a PDF attachment.’)
[T1566.002] Phishing: Spearphishing Link – Delivery via links in documents that lead to secondary payloads: (‘This PDF contains a malicious link, when clicked by the victim, initiates the download of a compressed JavaScript file.’)
[T1204.002] User Execution: Malicious File – Victim interaction triggers execution of downloaded content: (‘This file then downloads the final payload.’)
[T1105] Ingress Tool Transfer – Staged download of secondary payloads and tools over the web: (‘…initiates the download of a compressed JavaScript file. This file then downloads the final payload.’)
[T1027] Obfuscated Files or Information – Use of obfuscation to evade detection: (‘To avoid detection by anti-malware scanners, the malware employs evasion tactics such as obfuscation…’)
[T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript stager used to fetch and execute final payloads: (‘…initiates the download of a compressed JavaScript file.’)
[T1562.001] Impair Defenses: Disable or Modify Tools – Evasion and sandbox-avoidance techniques to reduce detection efficacy: (‘To avoid detection by anti-malware scanners, the malware employs evasion tactics … the use of indirect system calls.’)
[T1071.001] Application Layer Protocol: Web Protocols – Use of web protocols to retrieve staged payloads from remote hosts: (‘This file then downloads the final payload.’)
[T1027.002] Obfuscated Files or Information: Software Packing – Use of packing/packing-like techniques for delivered artifacts (compressed JavaScript) to hinder analysis: (‘initiates the download of a compressed JavaScript file.’)

Indicators of Compromise

[Domain/URL] Malware sample repository context – https://bazaar.abuse.ch/browse.php?search=tag%3AWikiLoader (MalwareBazaar sample listings for WikiLoader)
[Domain/URL] Malpedia context – https://malpedia.caad.fkie.fraunhofer.de/details/win.wikiloader (WikiLoader family documentation)
[File/Process] Living-off-the-Land binary context – wscript.exe (execution of wscript.exe recommended to be monitored or blocked)
[File Type] Stager context – compressed JavaScript file (PDFs contain URLs that download compressed JavaScript which then fetches the final payload)
[Repository/Rules] Sigma detection rules context – https://github.com/SigmaHQ/sigma/…/proc_creation_win_office_susp_child_processes.yml and https://github.com/SigmaHQ/sigma/…/proc_creation_win_susp_script_exec_from_env_folder.yml (recommended detection signatures)

WikiLoader operates as a downloader service (MaaS) and its technical infection chain typically starts with a phishing email delivering a PDF that embeds a malicious URL. When the victim clicks the URL the PDF references, the link retrieves a compressed JavaScript stager; that stager executes (often via script interpreters such as wscript.exe) and pulls down the final payload, which has commonly been observed as banking malware like Ursnif. To evade detection, operators apply obfuscation and indirect/system-call techniques and may use packing or compression for the JavaScript to hinder static analysis.

Delivery vectors observed in the wild include macro-enabled Office documents, PDFs containing URLs to JavaScript payloads, and OneNote attachments embedding executables. Detection and mitigation opportunities include deploying Sigma rules to detect suspicious Office child process creation and script interpreter execution from atypical folders, blocking or whitelisting execution of wscript.exe and other LOLBINS, configuring JavaScript files to open in text editors by default, preventing execution of external files embedded in OneNote, automatically disabling macros for users, and enforcing multi-factor authentication and browser policies to block credential storage.

Operational defenders should prioritize monitoring web-download activity (especially JavaScript stagers), network egress to unknown hosts, and behavior-based detections for obfuscated or packed scripts. Combining host hardening (application whitelisting, macro controls, 2FA) with Sigma-based telemetry and threat intelligence feeds (MalwareBazaar/Malpedia entries and supplier reports) improves the chance of detecting and disrupting WikiLoader campaigns before financial malware is delivered.