New WailingCrab Malware Loader Spread via Shipping-Themed Emails

Nov 23, 2023NewsroomMalware/Threat Analysis

WailingCrab Malware

Email messages with a shipping and delivery theme are used to deliver a sophisticated malware loader known as WailingCrab.

“The malware itself is divided into several components, including a loader, injector, downloader and backdoor, and successful requests to servers controlled by C2 are often needed to get to the next stage,” IBM researchers said. X-Force Charlotte Hammond, Ole Villadsen, and Kat Sukatan SAYS.

WailingCrab, also called WikiLoader, was first documented by Proofpoint in August 2023, detailing campaigns targeting Italian organizations that used the malware to eventually deploy the Ursnif (aka Gozi) trojan. It was spotted in the wild in late December 2022.

The malware is the work of a threat actor known as TA544, which is also tracked as Bamboo Spider and Zeus Panda. IBM X-Force named the cluster Hive0133.

Cybersecurity

Actively maintained by its operators, the malware has been observed to include features that are primarily stealthy and allow it to resist detection efforts. To further reduce the chance of detection, legitimate, hacked websites are used for initial command-and-control (C2) communications.

Additionally, malware components are stored on well-known platforms such as Discord. Another important change in malware since mid-2023 is the use of MQTTa lightweight messaging protocol for small sensors and mobile devices, for C2.

The protocol is something that is rare in the threat scene, that it is only used in a few instances, as observed in the case of Tizi and MQsTTang before.

Attack chains begin with emails containing PDF attachments containing URLs that, when clicked, download a JavaScript file designed to capture and launch the WailingCrab-hosted loader on Discord.

The loader is responsible for launching the next stage shellcode, an injector module that, in turn, starts executing a downloader to deploy the backdoor at the end.

“In earlier versions, this component will download the backdoor, which will be hosted as an attachment on the Discord CDN,” the researchers said.

“However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor. “

The backdoor, which acts as the core of the malware, is designed to establish continuity with the infected host and contact the C2 server using the MQTT protocol to receive additional payloads.

Cybersecurity

On top of that, newer variants of the backdoor eschew a Discord-based download path in favor of a shellcode-based payload directly from C2 via MQTT.

“The move to use the MQTT protocol by WailingCrab represents a focused effort at stealth and detection evasion,” the researchers concluded. “Newer WailingCrab variants also remove Discord callouts for extracting payloads, further increasing its stealth.”

“Conflict is becoming a more common choice for threat actors looking to host malware, and as such it is likely that file downloads from the domain will begin under a higher level of scrutiny. Therefore, it is not surprising that the developers of WailingCrab decided on an alternative approach.”

The abuse of Discord’s content delivery network (CDN) for the distribution of malware did not go unnoticed by the social media company, which SPOKE Bleeping Computer earlier this month it will switch to temporary file links by the end of the year.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment