The story of how a single email reveals your entire digital life to spies.
IBM X-Force has identified a new malware downloader called WailingCrab (WikiLoader). First documented in August 2023, the virus was used to attack Italian organizations in order to deploy the Ursnif trojan. The TA544 hacker group (Bamboo Spider, Zeus Panda) is responsible for creating the malware. IBM X-Force named this grouping Hive0133.
WailingCrab operators are constantly updating malware, adding features that provide stealth and make analysis difficult. To reduce the chances of detection, hacked legitimate websites are used for initial communication with the Command and Control server (C2). Malware components are also hosted on Discord. Starting in mid-2023, WailingCrab uses the MQTT messaging protocol to communicate with the C2 server, which is a rarity in the world of cyber threats.
WailingCrab consists of several components: a bootloader, an injector, a bootloader, and a backdoor. Attacks start with emails with PDF attachments containing URLs that are clicked to load a JavaScript file that launches the WailingCrab downloader hosted on Discord. The loader is responsible for launching the next stage – the injector module, which in turn launches the loader to deploy the backdoor.
The backdoor, which is the main component of the malware, is designed to provide persistence on the infected device and communicate with the C2 server using the MQTT protocol to receive additional payloads. IBM noted that the transition of WailingCrab from Discord to the use of the MQTT protocol indicates a focus on stealth and evasion of detection. In addition, the new WailingCrab variants eliminate calls to Discord for receiving payloads, which further increases its stealth.
Discord, which has become a popular choice for hackers, plans to switch to temporary file links by the end of the year to counter the abuse of its Content Delivery Network (CDN) to spread malware.
IBM X-Force has identified a new malware downloader called WailingCrab (WikiLoader). First documented in August 2023, the virus was used to attack Italian organizations in order to deploy the Ursnif trojan. The TA544 hacker group (Bamboo Spider, Zeus Panda) is responsible for creating the malware. IBM X-Force named this grouping Hive0133.
WailingCrab operators are constantly updating malware, adding features that provide stealth and make analysis difficult. To reduce the chances of detection, hacked legitimate websites are used for initial communication with the Command and Control server (C2). Malware components are also hosted on Discord. Starting in mid-2023, WailingCrab uses the MQTT messaging protocol to communicate with the C2 server, which is a rarity in the world of cyber threats.
WailingCrab consists of several components: a bootloader, an injector, a bootloader, and a backdoor. Attacks start with emails with PDF attachments containing URLs that are clicked to load a JavaScript file that launches the WailingCrab downloader hosted on Discord. The loader is responsible for launching the next stage – the injector module, which in turn launches the loader to deploy the backdoor.
The backdoor, which is the main component of the malware, is designed to provide persistence on the infected device and communicate with the C2 server using the MQTT protocol to receive additional payloads. IBM noted that the transition of WailingCrab from Discord to the use of the MQTT protocol indicates a focus on stealth and evasion of detection. In addition, the new WailingCrab variants eliminate calls to Discord for receiving payloads, which further increases its stealth.
Discord, which has become a popular choice for hackers, plans to switch to temporary file links by the end of the year to counter the abuse of its Content Delivery Network (CDN) to spread malware.
