Wikiloader

Malware updated 5 days ago (2024-09-02T15:17:44.468Z)

Download STIX

Preview STIX

WikiLoader is a sophisticated malware that has been used in notable campaigns identified by HP Wolf Security. It exploits open redirect vulnerabilities within websites to circumvent detection, a tactic known as 'Cat-Phishing'. The malware has been particularly active in Italy, where it's being used in phishing campaigns with the goal of installing Ursnif, a banking Trojan, stealer, and spyware. A significant example of this was when a fake parcel delivery PDF was used to trick users into installing the Ursnif malware. Additionally, a rise in PDF threats has been observed, with cybercriminals spreading malware, including WikiLoader, Ursnif, and DarkGate, through these files. The malware has been deployed since December by TA544 and TA551 threat operations targeting Italian organizations, as reported by The Record, a news site by cybersecurity firm Recorded Future. The WikiLoader campaigns have demonstrated a high level of operational security and robustness, leveraging a mix of spoofed, compromised, and legitimate infrastructure. This includes multiple command-and-control (C2) configurations and the use of SHA-256 hashes for the WikiLoader backdoor and shellcode loader DLLs. In one instance, the decryption key to the payload of the WikiLoader sample was provided by a C2. Researchers predict that the use of WikiLoader will likely continue throughout 2024 and beyond. One hypothesis for its continued use is that an initial access broker (IAB) has begun to work with WikiLoader to operationalize its delivery through search engine optimization (SEO) poisoning in recent months. However, the exact reason why threat actors have shifted from phishing to SEO poisoning to deliver WikiLoader remains unclear. Financially motivated threat actors are expected to continue using WikiLoader as a loader for rent in various campaigns due to its robustness, stealth, and reasonable attention to operational security.

Description last updated: 2024-09-02T15:17:30.731Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ta544	4	TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
Wailingcrab	3	WailingCrab, first observed in December 2022, is a sophisticated, multi-component malware that has been extensively used in email campaigns to deliver the Gozi backdoor, often targeting Italian entities. The malware was identified by the Unit 42 Managed Threat Hunting team as a variant of the WikiLo
Gozi	2	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Downloader

Loader

Trojan

Payload

Proofpoint

Wordpress

Sandbox

Vpn

Malware Loader

Loader Malware

Backdoor

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Ursnif	Unspecified	5	Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
TA551	Unspecified	3	TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma

Source Document References

Information about the Wikiloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	4 days ago	Cyberattackers Spoof Palo Alto VPNs to Spread WikiLoader Variant
InfoSecurity-magazine	4 days ago	Palo Alto’s GlobalProtect VPN Spoofed to Deliver New Malware Variant
Unit42	5 days ago	Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
DARKReading	4 months ago	HP Catches Cybercriminals 'Cat-Phishing' Users
DARKReading	6 months ago	Hackers Posing as Law Firms Phish Global Orgs
InfoSecurity-magazine	7 months ago	PDF Malware on the Rise, Used to Spread WikiLoader, Ursnif and DarkGat
DARKReading	9 months ago	Exploit for Critical Windows Defender Bypass Goes Public
CERT-EU	9 months ago	Updated WailingCrab malware loader ups stealth
CERT-EU	9 months ago	WailingCrab Malware Evolves: Embracing MQTT for Stealthier C2 Communication
CERT-EU	9 months ago	Alert: New WailingCrab Malware Loader Spreading via Shipping-Themed Emails
DARKReading	10 months ago	Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw
DARKReading	10 months ago	Exploit for Critical Windows Defender Bypass Goes Public
InfoSecurity-magazine	a year ago	Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
CERT-EU	a year ago	The Week in Security: Malware gives remote access to air-gapped devices, cyber attackers target Italy
CERT-EU	a year ago	Russia, Serbia targeted by Space Pirates threat group
CERT-EU	a year ago	Python versions of stealer malware discovered targeting Facebook business accounts
BankInfoSecurity	a year ago	Breach Roundup: Evotec Slashes Earnings Estimate After Hack
CERT-EU	a year ago	Novel attack infrastructure established by Russian hackers to bypass detection
CERT-EU	a year ago	Novel WikiLoader malware examined
Securityaffairs	a year ago	WikiLoader malware-as-a-service targets Italian organizations