Cybersecurity firm Proofpoint reports that a notorious threat group, known for targeting entities in Europe and Asia, has recently deployed a new form of malware against Italian organizations.
The analyst first detected the malware, named Wikiloader, in December. The mysterious cyber gang, TA544, actively uses it as a primary means of offense. Moreover, Proofpoint adds that multiple cybercriminal groups likely have access to this malware for sale.
The malware, called WikiLoader, earned its name by making a request to Wikipedia and checking the response for the string “The Free” in the contents. Proofpoint describes this as “an evasive maneuver” by Wikiloader to ensure the targeted device remains connected to the internet and not in a simulated environment, commonly used by cybersecurity professionals to detect and contain malicious software attacks.
Wikiloader’s purpose seems to be weakening a target system’s defenses, enabling the unleashing of a second, previously documented form of malware called Ursnif, a trojan used to steal sensitive data such as passwords from banking websites.
In addition, Proofpoint observed campaigns using Wikiloader to install Ursnif as a “follow-on payload” on December 27th, February 8th, and July 11th. The first campaign involved a spoofed or mimicked document pretending to be sent by the Italian Revenue Agency, aimed at luring targeted firms.
Although TA544’s country affiliation remains uncertain, previous Proofpoint investigations confirm the threat group’s focus on targets in Italy, Poland, Germany, Spain, and Japan since at least 2017.
Selena Larson, Proofpoint’s senior threat intelligence analyst, commented on the latest findings, stating, “WikiLoader is a sophisticated new malware that recently appeared on the cybercrime threat landscape, primarily associated with campaigns delivering Ursnif. Furthermore, it is currently under active development, and its authors regularly make changes to avoid detection and fly under the radar.
Larson also expressed concerns that other cybercriminal groups, particularly initial access brokers who facilitate ransomware attacks by stealing and selling vital information, might adopt Wikiloader. Therefore, she advises defenders to be aware of this new malware and the activities related to payload delivery, urging them to take steps to protect their organizations against exploitation.
Related stories:
- Unmasking the Dark Scheme: UK Man’s Conviction for Ransomware Attack and Blackmail
- Prioritizing Safety: PyPI Temporarily Restricts New User Accounts amidst Rising Malware Threats
- Ransomware Nightmare: ScanSource Grinds to a Halt
- Western Digital Data Breach: Ransomware Group Steals Customer Information
