WikiLoader: Evading Detection with Ursnif Payloads
WikiLoader‘s primary objective is to load the second-stage payload, which frequently includes one of the Ursnif malware variants. WikiLoader hides itself by making an HTTPS call to “wikipedia.com” and looking for certain strings in the response in order to avoid automated parser settings. The malware’s initial stage uses a variety of obfuscation methods to avoid being detected by programs like IDA Pro and Ghidra. To avoid EDR programs and isolation situations, WikiLoader also makes use of indirect system calls.
The existence of three different versions suggests that attempts are being made to enhance complexity and make payload extraction and analysis more difficult for academics. The most recent version, identified on July 11, makes use of advanced data encryption techniques, covert system management, and file extraction using encrypted protocols to further obfuscate its activity.