Cybercrime , Fraud Management & Cybercrime

New Malware WikiLoader Targeting Italian Organizations

Campaign Uses Malicious Microsoft Office Attachments
New Malware WikiLoader Targeting Italian Organizations
Image: Shutterstock

A malware downloader is spoofing Italian organizations, including the tax agency, to deliver a banking Trojan to target Italian companies, said researchers.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Proofpoint calls the downloader WikiLoader. It said in a post on Monday that it uses multiple mechanisms to evade detection. The financially motivated threat actor behind it, which Proofpoint tracks as TA544, likely developed WikiLoader with an eye to renting it to "select cybercriminal threat actors." The loader ultimately leads to the Ursnif banking Trojan, one of two Trojans favored by TA544.

"It is named WikiLoader due to the malware making a request to Wikipedia and checking that the response has the string "The Free" in the contents," the researchers wrote.

Proofpoint said that it has observed at least eight campaigns distributing WikiLoader since December 2022.

The campaigns began with emails containing Microsoft Excel or OneNote attachments or a regular PDF. The researchers observed WikiLoader being distributed by at least two threat actors - TA544 and TA551, and both were targeting Italy. Hackers have pivoted away from using malicious Microsoft Office macro-laced attachments in tandem with Microsoft's effort to block macros from executing, but TA544 "has continued to use them in attack chains," the researchers said.

"The Microsoft Excel attachments contained characteristic VBA macros which, if enabled by the recipient, would download and execute a new unidentified downloader that Proofpoint researchers eventually dubbed WikiLoader. This campaign was attributed to TA544," the researchers said. VBA refers to the Visual Basic for Applications programming language that's built into the Office suite.

"Its authors appear to make regular changes to try and remain undetected and fly under the radar. It is likely more criminal threat actors will use this, especially those known as initial access brokers that conduct regular activity that leads to ransomware," said Selena Larson, senior threat intelligence analyst at Proofpoint.

The source code for the Ursnif malware leaked online in 2015, allowing attackers to develop more customized and harder-to-detect versions of the Trojan (see: New Ursnif Variant Spreads Through Infected Word Documents).

Ursnif, which also goes by the names DreamBot and Gozi ISFB, is designed to steal passwords and credentials from victims and focuses on the banking and financial sectors.

A February TA544 campaign used an updated version of WikiLoader and spoofed an Italian courier service. That version was more complex and used additional stalling mechanisms in an attempt to evade automated analysis and the use of encoded strings.

Proofpoint researchers recommend that organizations ensure macros are disabled by default for all employees and block the execution of embedded external files within OneNote documents.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.