Wikiloader

Malware updated a month ago (2024-10-17T13:01:09.584Z)

Download STIX

Preview STIX

WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint and made public in 2023. This sophisticated malicious software is typically sold in underground marketplaces by an initial access broker (IAB) and is often spread through traditional phishing techniques. Notable campaigns include exploiting open redirect vulnerabilities within websites to avoid detection, and the increasing use of PDF threats, with cybercriminals spreading WikiLoader and other malware like Ursnif and DarkGate through PDF files, according to a report by HP Wolf Security. Italian organizations have been specifically targeted by phishing campaigns deploying WikiLoader, with the intention of installing Ursnif, a banking Trojan, stealer, and spyware. A notable example was a campaign that tricked users into installing Ursnif malware via a fake parcel delivery PDF. These attacks have been attributed to TA544 and TA551 threat operations since December. Additionally, cybercriminals have been posing as sellers of GlobalProtect, a virtual private network (VPN) software from Palo Alto Networks, and delivering a new variant of WikiLoader malware through search engine optimization (SEO) poisoning. In June 2024, Unit 42 detected a new WikiLoader campaign utilizing SEO poisoning as a novel spreading technique. The researchers hypothesized that this change might be due to a different IAB working with WikiLoader or a shift from phishing after improvements in endpoint security controls disrupted their operations. The robustness of WikiLoader campaigns, leveraging a combination of spoofed, compromised, and legitimate infrastructure, underscores the malware operators' focus on building an operationally secure loader with multiple command and control (C2) configurations. Despite these findings, the future of WikiLoader remains uncertain, with the authors suspecting its continued use throughout 2024 and beyond.

Description last updated: 2024-10-17T12:12:02.904Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ta544 is a possible alias for Wikiloader. TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als	4
Wailingcrab is a possible alias for Wikiloader. WailingCrab, a malware variant also known as WikiLoader, was first identified in December 2022 by Proofpoint. The stealthy malware has been extensively used in email campaigns to deliver the Gozi backdoor, particularly targeting Italian entities. It was discovered by the Unit 42 Managed Threat Hunti	3
Gozi is a possible alias for Wikiloader. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Downloader

Loader

Trojan

Payload

Proofpoint

Wordpress

Sandbox

Vpn

Malware Loader

Loader Malware

Backdoor

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Ursnif Malware is associated with Wikiloader. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra	Unspecified	5

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA551 Threat Actor is associated with Wikiloader. TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma	Unspecified	3

Source Document References

Information about the Wikiloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	Cyberattackers Spoof Palo Alto VPNs to Spread WikiLoader Variant
InfoSecurity-magazine	3 months ago	Palo Alto’s GlobalProtect VPN Spoofed to Deliver New Malware Variant
Unit42	3 months ago	Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
DARKReading	6 months ago	HP Catches Cybercriminals 'Cat-Phishing' Users
DARKReading	8 months ago	Hackers Posing as Law Firms Phish Global Orgs
InfoSecurity-magazine	9 months ago	PDF Malware on the Rise, Used to Spread WikiLoader, Ursnif and DarkGat
DARKReading	a year ago	Exploit for Critical Windows Defender Bypass Goes Public
CERT-EU	a year ago	Updated WailingCrab malware loader ups stealth
CERT-EU	a year ago	WailingCrab Malware Evolves: Embracing MQTT for Stealthier C2 Communication
CERT-EU	a year ago	Alert: New WailingCrab Malware Loader Spreading via Shipping-Themed Emails
DARKReading	a year ago	Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw
DARKReading	a year ago	Exploit for Critical Windows Defender Bypass Goes Public
InfoSecurity-magazine	a year ago	Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
CERT-EU	a year ago	The Week in Security: Malware gives remote access to air-gapped devices, cyber attackers target Italy
CERT-EU	a year ago	Russia, Serbia targeted by Space Pirates threat group
CERT-EU	a year ago	Python versions of stealer malware discovered targeting Facebook business accounts
BankInfoSecurity	a year ago	Breach Roundup: Evotec Slashes Earnings Estimate After Hack
CERT-EU	a year ago	Novel attack infrastructure established by Russian hackers to bypass detection
CERT-EU	a year ago	Novel WikiLoader malware examined
Securityaffairs	a year ago	WikiLoader malware-as-a-service targets Italian organizations