Wikiloader

Malware updated 23 days ago (2024-11-29T13:32:44.552Z)
Download STIX
Preview STIX
WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint and made public in 2023. This sophisticated malicious software is typically sold in underground marketplaces by an initial access broker (IAB) and is often spread through traditional phishing techniques. Notable campaigns include exploiting open redirect vulnerabilities within websites to avoid detection, and the increasing use of PDF threats, with cybercriminals spreading WikiLoader and other malware like Ursnif and DarkGate through PDF files, according to a report by HP Wolf Security. Italian organizations have been specifically targeted by phishing campaigns deploying WikiLoader, with the intention of installing Ursnif, a banking Trojan, stealer, and spyware. A notable example was a campaign that tricked users into installing Ursnif malware via a fake parcel delivery PDF. These attacks have been attributed to TA544 and TA551 threat operations since December. Additionally, cybercriminals have been posing as sellers of GlobalProtect, a virtual private network (VPN) software from Palo Alto Networks, and delivering a new variant of WikiLoader malware through search engine optimization (SEO) poisoning. In June 2024, Unit 42 detected a new WikiLoader campaign utilizing SEO poisoning as a novel spreading technique. The researchers hypothesized that this change might be due to a different IAB working with WikiLoader or a shift from phishing after improvements in endpoint security controls disrupted their operations. The robustness of WikiLoader campaigns, leveraging a combination of spoofed, compromised, and legitimate infrastructure, underscores the malware operators' focus on building an operationally secure loader with multiple command and control (C2) configurations. Despite these findings, the future of WikiLoader remains uncertain, with the authors suspecting its continued use throughout 2024 and beyond.
Description last updated: 2024-10-17T12:12:02.904Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ta544 is a possible alias for Wikiloader. TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
4
Wailingcrab is a possible alias for Wikiloader. WailingCrab, a malware variant also known as WikiLoader, was first identified in December 2022 by Proofpoint. The stealthy malware has been extensively used in email campaigns to deliver the Gozi backdoor, particularly targeting Italian entities. It was discovered by the Unit 42 Managed Threat Hunti
3
Gozi is a possible alias for Wikiloader. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Downloader
Loader
Trojan
Payload
Proofpoint
Wordpress
Sandbox
Vpn
Malware Loader
Loader Malware
Backdoor
Windows
Hp
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ursnif Malware is associated with Wikiloader. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for raUnspecified
5
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA551 Threat Actor is associated with Wikiloader. TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other maUnspecified
3
Source Document References
Information about the Wikiloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
4 months ago
InfoSecurity-magazine
4 months ago
Unit42
4 months ago
DARKReading
7 months ago
DARKReading
9 months ago
InfoSecurity-magazine
10 months ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
DARKReading
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago