WikiLoader Malware Deployed by TA544 Threat Actor

Researchers have reported that a malware downloader is imitating various Italian organizations, such as the tax agency, in order to deliver a banking Trojan to target Italian companies. The downloader, dubbed "WikiLoader" by Proofpoint, employs several tactics to avoid detection. The group behind it, known as TA544, is believed to be financially motivated and may intend to rent WikiLoader to other cybercriminals. Ultimately, this loader leads to the Ursnif banking Trojan, a favored choice by TA544.

The name "WikiLoader" derives from the malware's behavior of sending a request to Wikipedia and checking for the presence of the string "The Free" in the response, as stated by the researchers.

WikiLoader Spread Through Malicious Document Attachments

Since December 2022, Proofpoint has observed at least eight campaigns distributing WikiLoader. These campaigns began with emails containing attachments in the form of Microsoft Excel, OneNote, or regular PDF files. WikiLoader was found to be distributed by two threat actors, TA544 and TA551, with both focusing on Italy. Although hackers have moved away from using malicious Microsoft Office macro-laced attachments due to Microsoft's security efforts, TA544 continues to use them in its attack chains.

The Microsoft Excel attachments used characteristic VBA macros. Enabling these macros would trigger the download and execution of WikiLoader, a previously unknown downloader discovered by Proofpoint during the campaign attributed to TA544. VBA refers to the Visual Basic for Applications programming language integrated into the Office suite.

The authors of WikiLoader seem to regularly update the malware to evade detection and stay under the radar. Given its capabilities, it is likely that more cybercriminals, especially those known as initial access brokers, will use this downloader, potentially leading to ransomware attacks, according to Selena Larson, senior threat intelligence analyst at Proofpoint.

The Ursnif malware's source code leaked online in 2015, allowing attackers to develop customized and harder-to-detect versions of the Trojan. Ursnif, also known as DreamBot and Gozi ISFB, specifically targets the banking and financial sectors, stealing passwords and credentials from victims.

In February, TA544 launched a campaign using an updated version of WikiLoader, pretending to be an Italian courier service. This version was more sophisticated, employing additional stalling mechanisms to evade automated analysis and using encoded strings.

To protect against these threats, Proofpoint researchers recommend organizations to disable macros by default for all employees and block the execution of embedded external files within OneNote documents.