Top
Home / Cyber Security
Cyber Security, Featured

WikiLoader: malware attack against Italian companies

By

Malware attack in Italy: Proofpoint experts have identified a new malware, called WikiLoader, targeting companies in Italy. It is a downloader that downloads a second payload (Ursnif) and exploits sophisticated evasion techniques to avoid detection by security researchers. At least eight malicious campaigns have been identified as of December 2022. Some involve sending phishing-related emails with Excel documents attached that appear to be from the Italian Revenue Agency. Clicking on the “View” button initiates the execution of the VBA macro that downloads WikiLoader. Alternatively, a document is attached that appears to be from the GLS courier company.

WikiLoader: why it is so dangerous

Emails with OneNote and PDF attachments have been sent more recently. In the first case, the WikiLoader download is initiated when the user clicks the “Open” button. In the second case, however, the malware is downloaded by a JavaScript script as soon as the “Download” button inserted in the PDF is clicked. The malware code is heavily obfuscated to hinder analysis by security researchers. An HTTPS request is also made to Wikipedia (hence the name) to check if the device is connected to the Internet.

After several steps, Ursnif, a banking trojan that steals various data, including passwords stored in browsers, is downloaded. However, WikiLoader’s functionality may change in the future to allow other malware, including ransomware, to be downloaded. According to findings from Proofpoint, cybercriminals have launched nearly 50 malware campaigns against Italian companies, 80 per cent of which have received emails with attachments allowing Ursnif downloads.

On July 11, 2023, experts identified additional changes to WikiLoader, containing a revamped communication protocol to reach compromised web hosts and more advanced deadlock mechanisms, making it difficult to detect. In this campaign, TA544 used content from the accounting industry to send PDF attachments with URLs that led to downloading a zipped JavaScript file. Running this file led to the download and execution of WikiLoader.

WikiLoader: why it is so dangerous
WikiLoader: why it is so dangerous

It changes to remain undetected

The WikiLoader distribution campaigns were characterized by a high volume of malicious emails, with more than 150,000 messages involved in some of them. The attack did not exclusively target Italian organizations, but the research shows that the main focus was definitely on Italy. Cybersecurity experts and organizations are now alert about this new digital threat. Awareness regarding infection modes and proper protection of corporate networks are essential to counter the impact of WikiLoader and related malware, again remaining one of the most effective weapons available to combat the success of these attacks.

Malware attack in Italy

So far, Proofpoint has only observed WikiLoader deliver Ursnif as a second-stage payload. However, given its use by multiple threat actors, it is possible more e-crime actors, especially those operating as IABs, will use WikiLoader in the future as a mechanism to deliver additional malware payloads. Based on analysis of multiple versions, Proofpoint assesses with high confidence this malware is in rapid development, and the threat actors are attempting to make the loader more complicated and the payload more challenging to retrieve.

“WikiLoader is delivered via activities regularly observed by threat actors, including macro-enabled documents, PDFs containing URLs leading to a JavaScript payload, and OneNote attachments with embedded executables. Thus, user interaction is required to begin the malware installation. Organizations should ensure macros are disabled by default for all employees, block the execution of embedded external files within OneNote documents, and ensure JavaScript files are opened by default in a notepad or similar application, by adjusting default file extension associations via group policy object (GPO)” the researchers said.

Tags: ,
0

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.

RELATED POSTS

Cyber Security

Italy and Albania sign a cybersecurity memorandum: A memorandum of understanding was signed in Tirana between the Director General of the Italian National Cyber Security Agency (ACN), Bruno Frattasi, and the Director General of the Albanian National Cyber Security Authority

News, Tech

By Alberto Chiumento, and Marta Di Donfrancesco ROME (Reuters) - Italy is introducing artificial intelligence in its schools as Prime Minister Giorgia Meloni's government explores new ways to close the country's digital skills gap with other European Union members. Education Minister Giuseppe

News, Sustainability

Kappa FuturFestival is the sustainable side of Italy's biggest electronic music festival. It is a sustainable entertainment. This is one of the mottos of the Kappa FuturFestival, an international event dedicated to music and digital arts, staged in its 11th

4i magazine was founded with the vision of enabling our readers to make sense of the modern world. Our mission is to provide our audience with the most important, cutting-edge tech news and insights. Today's media landscape features too much information and not enough knowledge. Our coverage aims to fix that, by focusing the spotlight on developing trends, up-and-coming talents, and news that's worth your attention.

info@4imag.com
jobs@4imag.com

© Copyright 4i Mag 2022 All Rights Reserved