Cybercriminals are employing email messages centred around delivery and shipping to spread a newly identified and sophisticated malware loader named WailingCrab.
“The malware itself is split into multiple components, including a loader, injector, downloader, and backdoor,” stated Charlotte Hammond, Ole Villadsen, and Kat Metrick, researchers from IBM X-Force. “Successful requests to C2-controlled servers are often necessary to retrieve the next stage,” they said.
The infamous WailingCrab, alias WikiLoader, first surfaced in the records of Proofpoint in August 2023. The initial report shed light on campaigns specifically aimed at Italian companies, revealing the subsequent use of the malware to propagate the Ursnif trojan, also known as Gozi. Notably, by the close of December 2022, WailingCrab was identified in its natural environment.
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
Attributed to the threat actor TA544, also recognized as Bamboo Spider and Zeus Panda, this malware has been associated with various aliases. IBM X-Force, in particular, refers to the threat actor as Hive0133.
Malicious software under active maintenance by its operators exhibits a distinctive capability to incorporate features designed for stealth and resilience against analysis efforts. These characteristics have been identified within the malware. Notably, the initial command-and-control (C2) interactions are executed via compromised versions of legitimate websites. This strategic approach significantly diminishes the probability of detection, enhancing the malware’s ability to operate discreetly.
An additional layer of complexity is introduced as various malicious software components find residence on widely-used platforms like Discord. Notably, since the middle of 2023, the virus has adopted MQTT, a lightweight messaging protocol originally crafted for small sensors and mobile devices, for its command-and-control (C2) operations. This shift marks a significant alteration in the malware’s tactics and further underscores its adaptability.
Due to its restricted application in the threat landscape, the protocol stands out as something of an anomaly. Historically, it has only been deployed in a handful of instances, such as when dealing with Tizi and MQsTTang. This limited usage adds to the protocol’s uniqueness within the context of malware tactics and highlights its selective incorporation by threat actors.
The initial phase of the assault chains involves emails carrying PDF attachments with embedded URLs. These URLs, when accessed, trigger the download of a JavaScript file designed to acquire and launch the WailingCrab loader hosted on Discord.
The loader’s primary function is to kickstart the execution of the shellcode, paving the way for the next step—an injector module. This module, in turn, activates the execution of a downloader, culminating in the installation of the backdoor, completing the intricate sequence of the malware deployment.
“In prior versions, this component would download the backdoor, which would be hosted as an attachment on the Discord CDN,” according to the investigators.
“However, the latest version of WailingCrab already contains the backdoor component encrypted with AES, and it instead reaches out to its C2 to download a decryption key to decrypt the backdoor.”
The central component of the malware, the backdoor, plays a dual role. Firstly, it establishes persistence in the infected host, ensuring a lasting presence. Concurrently, it utilizes the MQTT protocol to communicate with the command-and-control (C2) server, facilitating the reception of new payloads.
Notably, in more recent iterations, the backdoor has adopted an advanced approach. It now employs a shellcode-based payload obtained directly from the C2 server through MQTT, diverging from the earlier method that relied on a download path associated with Discord. This shift in strategy reflects a continuous evolution in the tactics employed by the malware, enhancing its adaptability and sophistication.
“The move to using the MQTT protocol by WailingCrab represents a focused effort on stealth and detection evasion,” according to the investigators. “The newer variants of WailingCrab also remove the callouts to Discord for retrieving payloads, further increasing its stealthiness.”
It is anticipated that file downloads from the domain will start coming under increased levels of inspection as a result of the fact that Discord has become an increasingly common choice for threat actors trying to host malware. [C]ause of this, [D]iscord has become an increasingly regular choice for threat actors looking to house malware. Because of this, it should not come as a surprise that the developers of WailingCrab decided to go in a different direction.
The misuse of Discord’s content delivery network (CDN) for the distribution of malware has not gone ignored by the business behind the social media platform. Discord told Bleeping Computer earlier this month that it will move to temporary file links before the end of the year in response to the issue.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.