- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
Security experts at Proofpoint have discovered WikiLoader, a fresh malware downloader that is currently under development. WikiLoader has been identified in many campaigns since December 2022, especially focusing on Italian organizations. The virus spreads through a variety of channels, including OneNote attachments with embedded executables, PDF files with JavaScript payload URLs, and documents with macros.
WikiLoader: Evading Detection with Ursnif Payloads
WikiLoader‘s primary objective is to load the second-stage payload, which frequently includes one of the Ursnif malware variants. WikiLoader hides itself by making an HTTPS call to “wikipedia.com” and looking for certain strings in the response in order to avoid automated parser settings. The malware’s initial stage uses a variety of obfuscation methods to avoid being detected by programs like IDA Pro and Ghidra. To avoid EDR programs and isolation situations, WikiLoader also makes use of indirect system calls.
The existence of three different versions suggests that attempts are being made to enhance complexity and make payload extraction and analysis more difficult for academics. The most recent version, identified on July 11, makes use of advanced data encryption techniques, covert system management, and file extraction using encrypted protocols to further obfuscate its activity.
WikiLoader, according to experts, may end up becoming a useful tool for initial access brokers (IABs), allowing them to spread additional malware during assaults. Organizations are encouraged to block the running of embedded external files in OneNote documents, turn off macros by default for every staff member, and configure default file extension relationships through Group Policy settings to open JavaScript files in Notepad or similar programs.